In May of 2018, the European Union’s General Data Protection Regulation (GDPR) came into force. This wide-reaching law touches any company, no matter what size or type, as long as they process the personal data of EU citizens or do business within the EU. The GDPR sets out a series of requirements to meet the law which dictates how a business should process personal data from customers, clients, employees, contractors and more. (A previous article explains how the GDPR impacts data collection practices.)

As part of the original remit of the GDPR, there was a provision to employ a Data Protection Officer, or DPO. In this article, we will address some of the main questions around the use of a DPO and look at what benefits a DPO can offer your business.

What Does a Data Protection Officer (DPO) Do?

Your DPO is your data privacy expert. They must be competent and experienced enough to understand the nuances of the GDPR and give advice on how to accommodate the requirements of the law. They should also be able to monitor your internal compliance strategy and process.

One of the most useful aspects of going through GDPR compliance is to carry out a Data Protection Impact Assessment (DPIA), and a DPO will be able to give advice on carrying out a DPIA. Another aspect of the DPO’s job is to act as a contact point between data subjects and the supervisory authority — an independent body which oversees the implementation of the GDPR.

For more information, you can also see Article 51 of the GDPR.

What Is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment, or DPIA, is a method of carrying out a risk analysis of the uses of personal data in an organization. It is not a one-off action but more of a process, and one that has to be repeated if certain things, such as data processing, change.

A DPIA is ultimately used as part of the accountability expected by the GDPR to demonstrate you are taking privacy seriously and putting actions in place to protect data. A DPIA will go through the entire life cycle of data processing to assess these actions. GDPR Article 35 (clause 7) has more details on the types of assessment needed.

The GDPR mandates that a DPIA is carried out under certain circumstances. If a DPIA has not been carried out as required, your organization is subject to a fine at the rate of 2% of your annual global turnover or €10 million Euros, whichever is greater.

A DPO has the expertise to know where a DPIA should be applied and what methodologies should be used to carry it out effectively. The DPO will also document any advice and decisions made when implementing a DPIA.

What Type of Organization Must Employ a DPO?

In the latest version of the GDPR, Article 37 sets out which companies must employ a DPO. There are three broad criteria that define the organizations which fall into this camp:

  1. Public authority or body
  2. Organization that processes data on a large scale
  3. Organization that processes “special category” data

The GDPR does not mandate the use of a DPO elsewhere. However, it strongly suggests using one if your organization is public-facing — for example, works with health data, in broadcasting, is a public transport operator and so on.

Do I Need to Employ a DPO If My Organization Is Not Based in Europe?

If your organization offers goods or services to persons located in the EU and collects and/or processes their personal data (or collects behavioral data), you will have to comply with the GDPR. There are some nuances around this and it can become complicated.

This is where a DPO comes in. They have the expertise to look at your specific commercial setup and determine the level of GDPR compliance required.

There has been an interesting backlash to the GDPR in non-EU countries, where some organizations have decided to not play in the European marketplace to avoid compliance issues. Unroll.me, for example, is not supporting EU users to avoid the need to be GDPR-complaint. This not only sends a very poor message about an organization’s respect for users’ privacy in general, but it also closes off a large market for a service.

Further details can be found in our article on What U.S. Companies Need to Know About EU Privacy Laws.

How Do I Employ the Services of a DPO?

A DPO can be chosen from existing staff or brought on as a third-party consultant. A Data Protection Officer isn’t necessarily a technical person: they could, for example, have some legal knowledge and specialize in privacy and compliance.

Typical roles that fit the bill include auditors, IT compliance specialists, privacy lawyers and non-technical managers who have privacy and compliance expertise. When looking for a DPO, check out the certifications of the individual; there are a number of privacy certifications that cover GDPR compliance.

Post-GDPR, Is It Too Late to Comply?

As they say, it’s never too late to make a difference. The same is true for GDPR.

If you have not looked at the various aspects of GDPR compliance but believe that you might come under the remit of the law, then act quickly. Cases against companies are beginning to surface as breaches occur after the May 25th enactment of the law. For example: the Hilton breach of 2015, which resulted in a $700K fine, would now be $420 million under the new GDPR fine levels.

One of the quickest ways to check if you are GDPR-complaint, or if not, what to do to get there, is to use the services of a privacy professional such as a DPO.

Why Your Business Needs a Data Protection Officer

There are direct and indirect benefits of employing the services of a DPO.

1. Expertise

The GDPR has been savaged for being “nuanced.” There are clauses in the final version of the GDPR that are complicated even for lawyers to interpret. Having someone who actually understands the details of the law, and can understand how to apply them, will save not only time and money but prevent costly mistakes.

2. Fine Prevention

GDPR fines are set at two levels: 2% of global revenue or 10 million euros, whichever is higher; or 4% of global revenue or 20 million euros, whichever is higher. The application of the level depends on what misdemeanor you have committed. Typically, a 2% level will be applied for not using a DPIA correctly. A 4% is applied for non-compliance around, for example, configuring “consent” correctly.

Utilizing a DPO can ultimately lead to cost savings. As mentioned above, a privacy professional does not have to go through a learning curve to understand what is required to become GDPR-compliant. They can advise you on how to carry out a DPIA, which will ultimately protect your organization from the threat of GDPR fines.

3. Streamlining Communications

Part of the remit of the GDPR covers communication channels. This includes documentation and breach notification. Having a DPO who understands the lines of communication and when to enact them will help your company go through a highly-managed and legal process if you suffer a data breach. It could save you the cost of a massive fine.

Documentation, too, is a place where a DPO can advise and help. The GDPR has strong documentation requirements, especially for firms employing over 250 employees. A DPO can advise and help with building your documentation portfolio.

4. R.E.S.P.E.C.T

Being respectful of privacy pays. Cases where lack of respect for privacy is obvious, such as the Facebook/Cambridge Analytica scandal, show the implications of such actions; Facebook lost around $111 billion in share price after the violation surfaced. And it doesn’t end there — Facebook and Google are facing a court action brought about by Max Schrems on GDPR privacy violations.

Utilizing the services of a DPO who is a privacy professional with expertise on compliance issues can ensure you understand data privacy and how to be respectful towards the data of an individual.

5. GDPR and Beyond

Similar privacy laws are popping up in other places outside of the EU. One example is the California Consumer Privacy Act of 2018 (CCPA), which has some similarities to the GDPR. A DPO can help to work out where and how the variety of data protection laws may impact your business.

Finding a Professional

The GDPR might not mandate the use of a DPO in all circumstances. However, using professional services from people who really know the state of play is priceless. Not only can they reduce  the learning curve for your organization, they can save you from the large fines imposed by GDPR and other data protection regulations.

 

Sources

Art. 52 GDPR – Supervisory authority, GDPR

Article 35 EU GDPR – “Data protection impact assessment,” PrivazyPlan

Privacy Impact Assessments, Federal Trade Commission

Article 37 EU GDPR – “Designation of the data protection officer,” PrivazyPlan

Unroll.Me and GDPR, unroll.me

Hilton Was Fined $700K for a Data Breach. Under GDPR It Would Be $420M, Digital Guardian

Regulation (EU) 2016/… of the European Parliament and of the Council, GDPR

Facebook Stock Price Plunge: Why the Social Network’s Value is in Free Fall, The Independent