Internal or External: The Data Protection Officer Question

The need to appoint a Data Protection Officer (DPO) continues to be a hot topic when discussing GDPR, and with good reason. If required, this position carries a lot of weight and responsibility. For many companies, this selection would necessitate the reorganization of certain tasks to enable the absolute independence being sought per the legislation. So, do you need one?

Do I Need a DPO?
Per Article 37 a DPO is required under a couple circumstances when a company’s core activities include:

• Large scale data processing operations which require regular and systematic monitoring of data subjects or;
• Large scale data processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation etc.) and personal data relating to criminal convictions and offences or;
• You are a public authority and are always required to employ a DPO

Simply put, if you do not fall under these categories, you do not need to appoint a full-time DPO responsible for the tasks below and detailed in Article 39. If you do, you will need to provide accommodations to enable complete objectivity throughout their duties regarding GDPR.

• Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
• Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
• Advising with regard to data protection impact assessments when required under Article 35.
• Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
• Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.

A Word of Caution
As examined in other articles, The Strategic Advantages of GDPR and The GDPR Countdown: How to Plan your Next 256 Days, GDPR allows for each member state to implement certain sections of the legislation as they see fit. In other words, to make it more stringent where needed. If you are working or collecting data on EU residents in the following states, you may have to appoint a DPO, even if you do not meet the larger requirements of the entire GDPR.
These EU Member States are:

• Germany
• Croatia
• Hungary
• Spain

Who is Qualified to be a DPO?
A DPO has a broad set of responsibilities that require someone with significant time working in and around the law, as well as an individual with deep technical expertise.

Now, realistically, you are not going to find a person who has all the optimal characteristics and that’s ok.
When we look for advice or precedence, it makes sense to look at Germany. Germany has required its companies to employ a DPO, in a similar fashion to GDPR, for quite some time. Looking at individuals within that jurisdiction can provide a bit of context as to how this needs to work.

More than anything you are looking for an individual who understands the law, what type of data your company has, the reason for its existence and how the technology underpinning your operations are constructed from a high-level.

What are your Options if you don’t Need a Full-time DPO?

While you may not need a full-time DPO, it is advised to, at the very least, have someone within your ranks able to perform the tasks and keep the company apprised of any updates and guidance that may impact how your organization handles data protection for your EU data subjects.

The best option is to appoint or contract a Virtual Data Protection Officer (or vDPO). The vDPO may work for other organizations in a similar marketplace, scale that doesn’t require full-time like yours and thus utilizes this individual or individuals to keep them informed.

For companies in this category, a vDPO will come with a unique advantage: a mutli-organizational vantage point. They are by definition, working with more than one business. They may not be able to tell you the underpinnings or details of each business by design, but they will be able to provide context as to how certain areas of the legislation are being interpreted across markets and member states. This gives you a leg-up and a way to prepare proactively for any aspects that may affect your business moving forward. Think of it as the GDPR extension for your global data protection program and allow your internal team to focus on the day-to-day needs for your customers.

Let the Location of your Data Subjects Guide your Decision

As with most things GDPR, we are still awaiting confirmation on the true definition of core activities and large scale. Presently, there is not enough consensus. Some legal scholars have gone as far to say that there may be “diverging opinions” on the definition and it will thus be at the discretion of your supervisory authority. Our guidance is to look at where your data subjects reside. If you are in an area with a tougher threshold, it is wise to at least, appoint an individual internally to add those responsibilities or a vDPO if you are potentially on the cusp. Beyond that, staying abreast of new guidance on the matter is advised.

About the Authors
Christina Whiting is the managing director of enterprise risk and compliance at Tevora.
David Grazer is the privacy practice lead for enterprise risk and compliance at Tevora.