The General Data Protection Regulation (GDPR) is little less than a year away and companies are starting to move towards achieving compliance, with some needing to appoint a Data Protection Officer.
It may not be due to come into effect until 25 May 2018, but GDPR has already undergone a sea of changes in its relatively short lifetime. Data breach fines, security notifications and personal data consent have all been tweaked as the legislation has been passed by European law makers, with another key change being around the requirement for a Data Protection Officer (DPO).
Originally, GDPR outlined that it would be mandatory for all companies with more than 250 employees to hire a DPO, but this requirement was removed from the latest version of the regulation. As of now, the pool of companies needing to hire a DPO is much smaller, with section 37 (1) of the regulation outlining that this is largely confined to public authorities, or where firms are processing “special categories of data”.
However, experts believe that you can improve your approach to GDPR if you do employ a DPO. And considering GDPR affects every organisation that processes personal data for EU citizens, it might be time to read the small print.
Daniel Hedley, senior associate, Irwin Mitchell LLP, explains: “Most organisations won’t be directly required to appoint a Data Protection Officer because strictly speaking, GDPR only actually obliges organisations to appoint one if they’re public bodies, if they’re engaged in large-scale systematic monitoring of people, or if they’re engaged in large-scale processing of certain special categories of data such as information about people’s health or criminal records.”
Who needs a Data Protection Officer?
Public bodies include healthcare, educational, emergency services and governmental organisations, all of whom come under the requirement to appoint a dedicated DPO, with the specific responsibilities and functions defined by the new regulation. The regulations are also likely to apply to private companies that carry out public functions, or deliver public services such as water, public transportation, energy and housing.
As for the private businesses that engage in large-scale systematic monitoring or data processing as a primary activity, this refers to things like behavioural advertising, online tracking, CCTV, and even administering loyalty programs. Also, worth noting is that the definition applies to both digital and off-line processes and practices, with which the DPO will need to be familiar.
Hedley adds, “GDPR is a complex piece of legislation, and it makes a lot of big changes which put data rights very much front and centre of the compliance agenda.
“That means that someone in every organisation is going to have to take ownership of it either way, and in my experience existing in-house IT and legal teams are already so stretched that they will struggle to take on the extra work unaided.”
Peter Gooch, partner in cyber risk services at Deloitte UK, adds, “Organisations need to look at how they manage privacy and data protection more proactively. While DPOs are now required for most organisations, it doesn’t stipulate that they have to be dedicated, or even internal resources.”
He continues, “Organisations should look at how they meet their responsibilities under GDPR more broadly, whether using a network of privacy champions, a central team or even outsourced support. What’s important is that the resource they have available is appropriately skilled and proportionate to the risk profile of their processing.”
Compliance and training
In cases where the Data Protection Officer is a requirement, the role differs from other IT and information-centric functions such as the CIO or IT Director, who are focused on business and technology strategy; the CISO, who has a security-centric remit; or the chief data officer (CDO) who also has a technology-oriented position.
Instead, the DPO will work across business departments to inform employees of their obligation to comply with GDPR and other data protection laws. They are also being responsible for monitoring compliance, providing training and internal audits, and advising on data protection risk impact assessments.
Importantly, the DPOs will be expected to make themselves available to the regulatory authorities for enquiries on data protection, which range from Withdrawal of Consent to the Right to Be Forgotten (the Right To Be Forgotten is officially known as the ‘right to erasure’ - Ed).
Where their company is a data controller, they must also be the one to report a security breach to the authority within 72 hours of becoming aware of it, or provide a “reasoned justification” for any delay, as well as inform affected customers (officially known as ‘data subjects’) when appropriate. Data processors must inform the data controller.
As part of the notification, the DPO must “at least” describe the nature of the personal data breach; the likely consequences; and explain how the controller proposes to address the breach.
Wide-range of responsibilities
Digital security expert and independent advisor Neira Jones comments that the DPO has a very broad range of responsibilities.
She explains, “The DPO is responsible for application of policies, assignment of responsibilities, staff training and audit, and liaising with Competent Authorities. They must have a good understanding of information/cyber security, data protection and data privacy, and of the applicable laws.” These include GDPR, DPA, e-Privacy, NIS, EU-US Privacy Shield, and for financial services, PSD2/AML, says Jones.
She adds, “They must have a good understanding of the supply chain in their sector and should also understand contract law, and be an extremely good communicator and negotiator. In other words, they should be wearing a cape. Who’d want the job? Seriously though, the EU is going to need 28,000 DPOs to meet the requirements of the regulations, so there is a massive opportunity here.”
In reality, the DPO has a privileged position, with major advantages. For example, the DPO gets appointed for at least four years, or two years for a contractor. They are expressly granted significant independence in their job functions and may perform other tasks and duties provided they do not create conflicts of interest.
In addition, they need to have access to the highest levels of management, and be given adequate company resources to meet their obligations to the GDPR, and for ongoing training. They must be allowed to operate independently of instruction, and can’t be dismissed or removed as a result of doing their job.
Business benefits of the Data Protection Officer
Despite the obligations, businesses also stand to benefit from appointing and supporting a DPO, argues Irwin Mitchell LLP’s Daniel Hedley. “Since the core job of a DPO is to be the business’ in-house data rights expert and the first point of contact with data subjects and regulators, most technology- or data-driven businesses of any size or complexity will, I think, find that having a nominated DPO is advantageous, not only in terms of its own internal compliance efforts but also in sending a message to its customer base that it takes compliance seriously,” he says.
Elliott Haworth, business features writer at City AM, who specialises in GDPR, adds, “Having someone at a board level who understands the technicalities of the regulation – what constitutes best practice, how to react in a breach, or respond to subject access requests – can only be beneficial once GDPR is enshrined into law next year.”
The DPO will also be ideally positioned to help companies explore and assess new business opportunities that utilise data assets, for example by identifying new revenue streams or helping siloed business departments to share data in a mutually beneficial way.
Consequently, whilst some organisations are required to have a DPO, for others, appointing one for themselves could be beneficial to the business in approaching the GDPR deadline.