xMatters is running a four-part blog series as a compliance checklist for the European Union (EU) - General Data Protection Regulation (GDPR).
Under the GDPR, you may have to appoint a Data Protection Officer (DPO). This blog post will help you determine whether you need to appoint a DPO, plus the qualifications, roles, and responsibilities of the DPO. We even recommend some important initial activities.
Not every organization needs to appoint a Data Protection Officer when the GDPR goes into effect on May 25, 2018. There are specific criteria for whether you have to appoint one, but some of them are ambiguous, and leave room for interpretation. Even if your organization does not have to appoint a DPO, it may elect to do so.
However, because a DPO's role and responsibilities can be fairly specific, some experts recommend that if you voluntarily appoint a DPO, that you give that person a title other than DPO to avoid confusion. Here are some tasks in regard to a Data Protection Officer.
1. Determine Whether You Have to Appoint a Data Protection Officer
The GDPR is written to protect personal data, so it should be no surprise that you must appoint a Data Protection Officer if your controller or processor regularly exposes sensitive personal information as a core part of their role. In short, you must appoint a DPO if one of the following is true:
- Processing is executed by a public authority (except for courts acting in their judicial capacity).
- The controller or processor's regular processing operations require systematic monitoring of data subjects on a large scale (note that there is no set definition for "large scale").
- The controller or processor regularly process personal data that reveals race or ethnic origin, religious beliefs or affiliation, political leanings, or trade union membership.
- The controller or processor processes personal data exposing genetic information, biometric data intended to uniquely identify someone, personal health data, or data about a person's sexual activity or orientation.
- The controller or processor processes personal data relating to criminal convictions and offenses.
There are exceptions and details, some of which are open to interpretation; but for the most part, the above list should help you determine whether you need a DPO. For more information, refer to the EU-GDPR Section 4.
There are specific criteria for whether you have to appoint a Data Protection Officer, but some of them are ambiguous.
2. Confirm What a Data Protection Officer Does
A Data Protection Officer is responsible for setting direction and making appropriate changes to affect compliance, and the DPO is held accountable for compliance.
You can sign a contractor to act as DPO if you don't want to hire a full-time employee. In fact, multiple groups may choose to appoint and share a single DPO. Some groups of public authorities may choose to share a DPO too.
Data Protection Officers are tasked with ensuring protecting personal information, but they have certain rights under the GDPR too.
- You cannot dismiss or penalize a DPO for performing his or her responsibilities (a departure from "at will" employment most U.S. employees are used to).
- You cannot restrict a DPO's access to data processing personnel and operations.
- You must allow a DPO significant independence.
- You must give a DPO a direct reporting line to the highest levels of management.
The repercussions are severe for obstructing or failing to support the Data Protection Officer.
3. Give Your Data Protection Officer the Necessary Support
At the very least, your DPO's tasks should include advising colleagues and monitoring privacy law and policy compliance. The DPO is responsible for training, raising awareness, running audits, and cooperating with supervisory authorities.
Liabilities lie with the data controller and data processor organizations, so no scapegoating the Data Protection Officer! The DPO is not personally liable if your organization fails to comply with the GDPR (however there are civil and criminal liabilities for DPO in other regions). Instead, your organization will be held responsible. The repercussions to your organization are likely to be severe if it obstructs or fails to support the DPO in performing his or her primary duties.
It takes a team to design a privacy compliance strategy and implement it. Give your DPO the freedom to choose a group or team to drive privacy compliance, including but not limited to the GDPR.
Up next in part 2: Data Privacy Impact Assessment