Many U.S. companies falling under the EU General Data Protection Regulation (the “GDPR”) are scrambling to prepare for the rapidly approaching May 25, 2018, enforcement deadline. A critical component to a robust and effective GDPR compliance program is the Data Protection Officer (“DPO”).
The GDPR views the DPO “as a key player in the new data governance system….” The Article 29 Working Party (“WP29”) further describes the “DPO as a cornerstone of accountability and that appointing a DPO can facilitate compliance and furthermore, become an advantage for businesses.” The WP29 goes on to advise that even where the GDPR does not mandate the appointment of a DPO, “organisations may sometimes find it useful to designate a DPO on a voluntary basis.”
Whether required to do so by the GDPR or doing so voluntarily, those companies searching for a qualified DPO face an uphill battle as the International Association of Privacy Professionals estimates the need for at least 28,000 DPOs in Europe alone. Therefore, it is critical that an organization understand the necessity and role of this position.
What Companies Should Designate a DPO?
The WP29 succinctly sums up the critical role of the DPO. “[DPOs] will be the heart of this new [GDPR] legal framework for many organisations, facilitating compliance with the provisions of the GDPR.” Bottom line is: GDPR compliance is complex, and a qualified DPO should be the lead of your compliance program.
Article 37 of the GDPR requires the appointment of a DPO where a “core activity” of the business is the processing of personal data of EU citizens, “which require regular and systematic monitoring…” “on a large scale.”
The GDPR views a “core activity” as one that is key to the operation of the business. For instance, the processing of health records is a “core activity” of a hospital. Alternatively, the processing of personal data for internal payroll is likely not.
While the GDPR provides little guidance on the meaning of “regular and systematic monitoring,” the WP29 advises that this concept “clearly includes all forms of tracking and profiling on the internet, including for the purpose of behavioral advertising.”
The definition of “large scale” is also absent from the GDPR text. Here again however, the WP29 provides the following factors to consider in this regard:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population;
- The volume of data and/or the range of different data items being processed;
- The duration, or permanence, of the data processing activity, and
- The geographical extent of the processing activity.
Examples of large scale processing include:
- Processing of patient data in the regular course of business by a hospital;
- Processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
- Processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities;
- Processing of customer data in the regular course of business by an insurance company or a bank;
- Processing of personal data for behavioural advertising by a search engine; or
- Processing of data (content, traffic, location) by telephone or internet service providers.
Examples that do not constitute large-scale processing include:
- Processing of patient data by an individual physician; or
- Processing of personal data relating to criminal convictions and offences by an individual lawyer.
Finally, the GDPR is void of a precise definition of “regular and systematic monitoring of data subjects.” However, the WP29 warns that this concept “…clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.” Moreover, the WP29 advises that this concept further includes such activities as:
- Operating a telecommunications network;
- Providing telecommunications services;
- Email retargeting;
- Data-driven marketing activities;
- Profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
- Location tracking, for example, by mobile apps; loyalty programs; behavioural advertising;
- Monitoring of wellness, fitness and health data via wearable devices; or
- Closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.
The WP29 further interprets ‘regular’ as:
- Ongoing or occurring at particular intervals for a particular period;
- Recurring or repeated at fixed times, or
- Constantly or periodically taking place.
The WP29 interprets ‘systematic’ as meaning one or more of the following:
- Occurring according to a system;
- Pre-arranged, organised or methodical;
- Taking place as part of a general plan for data collection; or Carried out as part of a strategy.
In sum, any business targeting EU citizens for the sale of its goods or services should seriously consider its need for a DPO.
What is the Role of a DPO?
The DPO’s main responsibility is “monitoring compliance” of the GDPR, which the WP29 specifies as:
- Collect[ing] information to identify processing activities;
- Analy[zing] and check[ing] the compliance of processing activities; and
- Inform[ing], advis[ing] and issu[ing] recommendations to the controller or the processor.
In addition, the DPO is responsible for:
- Ensuring that enterprise data processing is compliant with the rights of all data subjects;
- Designing, implementing, and maintaining data protection “by design and by default” and
- The communication and notification of data breaches.
What Qualifications Should a DPO Have?
According to Article 37(5) of the GDPR, a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” The WP29 provides further guidance, advising that a DPO should have the following skills and background:
- Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
- Understanding of the processing operations carried out;
- Understanding of information technologies and data security; Knowledge of the business sector and the organization; and
- The ability to promote a data protection culture within the organization.
CyberSquire Can Help
CyberSquire understands the regulatory complexities of the GDPR and the resulting financial burden to companies. To aid our clients with the design and implementation of an operationally and cost-effective GDPR compliance program, we offer a Virtual DPO service.
We assign our clients with a designated DPO with the requisite skills and ability to provide end-to-end DPO services. Moreover, our Virtual DPO will take the time to understand your business operations and how to best leverage your company’s resources to fully and comprehensively achieve GDPR compliance.
Contact us to learn more about how we can help.