GDPR and the role of a Data Protection Officer

The General Data Protection Regulation (GDPR) mandates that businesses assess, design, implement, monitor and supervise user privacy by protecting data. How can businesses ensure that all their legal obligations emanating out of GDPR are complied with in spirit and substance?  Well, the GDPR itself has an answer to this question – appoint a Data Protection Officer ("DPO"). In simple terms, a Data Protection Officer is a GDPR subject-matter expert. A DPO manages and oversees all aspects of compliance with GDPR and has final say on disclosure notices, security measures and all other pertinent provisions.

Are all businesses required to appoint a DPO?

As per the provisions of GDPR, a DPO is required in the following cases:

  •  Processing carried out by a public authority or body;
  •  Businesses involved in regular and systematic monitoring of user data on a large scale as their core activities; and  
  • Businesses involved in processing a large scale of special categories of data and personal data relating to criminal convictions and offenses.

The GDPR has established a number of instances where a DPO is needed; however, it is in the best interest of every business to appoint a DPO to demonstrate its commitment to user protection and privacy, and to gain trust among its consumers.

Are all businesses involved in data processing required to appoint a DPO?

Not exactly.  Businesses are required to appoint a DPO only if:

  • Data processing is considered as part of their core operations; or
  • Their activities require regular and systematic monitoring of user data on a large scale.

Core operations are the primary business activities of an organization, i.e., if a business requires processing of personal data to achieve its key objectives, then it is considered a core activity. This determination requires an analysis of the nature, scope and purpose of data processing.  Core operations do not involve processing personal data for secondary purposes, which are considered only incidental to the business operations (For example, payroll or HR information in your business).

Regular and systematic data monitoring includes all forms of tracking and profiling, both online and offline. The data processing should be continuous based on pre-defined criteria and a set of standard processing activities. This includes the use of algorithms, data analytics and artificial intelligence to predict user behavior and targeted advertising.  For example, offering recommendations to customers based on browsing history and past purchases on an online e-commerce website is continuous, and must be based on pre-defined criteria reviewed by a DPO.

How can businesses determine if they process data on a large scale?

What amounts to large scale data processing is highly subjective, and additional clarity will be gleamed from judicial bodies as the GDPR unravels.  To date, the GDPR does not lay out any quantitative parameters to determine the fulfilment criteria.  The GDPR does provide some indicative factors to consider for such a determination:

  • Numbers of data subjects concerned;
  • Volume of personal data being processed;
  • Range of different data items being processed;
  • Geographical extent of the activity; and
  • Duration or permanence of the processing activity.

Who can be a DPO?

A DPO should be designated on the basis of professional qualities, expertise in data protection laws and practices, and the ability to fulfil the responsibilities cast by the GDPR. A DPO may or may not be an employee.  A third party having the requisite qualifications and competence is also permitted to be appointed as a DPO.  A DPO may discharge responsibilities for various businesses having regard to their organizational structure, size and accessibility to each business.

What is the position of a DPO in a business?

A DPO should be adequately and periodically involved in all issues concerning data protection within the business.  All businesses should support the DPO in discharge of his responsibilities by providing necessary resources and access to personal data and processing operations.  In order to maintain a high degree of independence and be insulated from execution of day to day operations, the DPO should directly report to the highest management level in a business and shall not be dismissed and penalized for performing his obligations.

A DPO shall be the designated point of contact for all communications pertaining to processing personal data and exercising rights granted to end users under the GDPR.  The details of the DPO shall be disclosed in the end user policies and commercial contracts. The DPO shall be bound by confidentiality, and his actions shall not result in a conflict of interest.  Businesses should also ensure that the DPO is able to take an independent stance in evaluating issues notwithstanding his duties as an employee of the company.

What are the tasks of a DPO?

The role of a DPO by its very nature is dynamic and the role responsibilities cannot be described exhaustively. The following factors are considered by the GDPR:

  • Advisory: The DPO shall act as an advisor to all stakeholders by keeping them informed of their obligations under the GDPR;
  • Monitor compliance: The DPO shall monitor compliance of data protection measures, implementation of data protection policies, assignment of responsibilities, awareness-raising and training of staff involved in data processing operations and related audits;
  • Impact assessment: The DPO shall act as an advisor for undertaking data protection impact assessments and monitoring initiatives;
  • External representation: The DPO shall act as the point of contact for supervisory authority and end users in relation to various obligations outlined in the GDPR.

The GDPR does not mandate that the DPO report noncompliance to supervisory authorities, but the DPP is tasked to assist the businesses in undertaking substantive compliance initiatives. The decision to appoint a DPO should be weighed based on the potential risks and threats rather than legal obligations. Businesses should adapt to the best practices in order to demonstrate compliance and gain consumers trust.  In conclusion, the DPO should not be looked at as a “snooping insider” or a “necessary evil”, but rather as a valuable, helpful, and promising asset to every business.

If your organization is concerned about governance, risk mitigation, regulatory compliance, human resources management and ethics, we can help simplify things for you. Call us at 973-520-6131. You can also get in touch on our website at www.riddlecompliance.com. We’re passionate about supporting our clients with respect, transparency, and unparalleled expertise.