By Victoria Armstrong – Legal Associate at EPI-USE.
The International Association of Privacy Professionals has predicted that over 28,000 DPOs will be appointed by May 2018 for GDPR compliance within the EU alone. But who is the best choice for this new and important role? An internal appointment or an external hire? A newly qualified lawyer with recent data protection training or an experienced data expert? And is there anyone wholly unsuited to this rule? Whilst much is uncertain, here is what can be ascertained so far.
A key step towards GDPR compliance:
Although EU Regulation 2016/679 (the General Data Protection Regulation (GDPR)) does not come into effect until May 25th 2018, a paradigm shift is already underway in how corporations are approaching the use and processing of personal data. Greater accountability is being assumed, in line with the core informing aims of the GDPR.
Soon, all corporations, whether they are data controllers or processors or both, will be required to make data security a primary concern when considering and developing their activities. Part of this involved ensuring that the appropriate persons and processes are in place to take responsibility for this. To this end, the GDPR requires that certain undertakings appoint a DPO (see GDPR Articles 37 – 39). Guidance on which bodies this applies to and includes public authorities, bodies engaged in the large scale systematic monitoring of individuals, bodies for whom data use pertains to their ‘core’ activities and bodies engaged in the large-scale processing of ‘special data’.
The Scope of the DPO role:
The DPO is to be responsible for informing their corporation of its data protection responsibilities, monitoring compliance and acting as an easily identified initial point of contact for any data-related enquiries to the corporation. The DPO is to report only to the corporation’s most senior management level and be empowered to operate independently. In addition, corporations are non-negotiably obligated to provide the DPO with all resources, access and information that they request or require to assess and analyse the organisation’s data-related activities, including in terms of security, the purpose and extent of processing, and respect for data subjects’ rights to be informed, have access, be forgotten, have processing restricted etc.
DPOs cannot be dismissed or disciplined for fulfilling their responsibilities (for instance, should their tasks require substantial and resource-intensive reform of internal processes). To ensure compliance with this, and to avoid a DPO having a conflict of interests, it is suggested that the DPO should also not be on a short or fixed-term contract. Whilst definitive guidance has not yet been given on the ideal length of a DPO employment contract, an indication can be taken from the EU institutions who have determined that their own DPOs are to be appointed for between 2 and 5 years.
Clearly, the role of DPO is of fundamental importance for any corporation whose activities involve data, not only for the GDPR implementation period but for the foreseeable future. The critical question then emerges: who should take on this position?
Your company’s DPO:
The GDPR does not have specific requirements for a DPO’s background or qualifications, which gives both flexibility and uncertainty. Nevertheless, some direction can be ascertained, particularly in light of the Guidance Note released by the Article 29 Working Party in 2017.
First, who is the ideal candidate to take on these responsibilities?
1. Someone with expertise and experience in the relevant data practice. Whilst this may seem obvious, it is crucial that someone with familiarity in the nuances of the general data methods and practices of the corporation in question is appointed as DPO.
This is not to say that the DPO must be a technical expert in every nuance of the corporation’s data-related activities. However, the legal landscape regarding data protection, data processing, and privacy rights is currently in a particularly volatile stage, and until more solid guidance comes from the EU Commission or EU courts, a DPO is required to interpret the general principles of the GDPR and apply them to the specific practices of their corporation. Therefore, the DPO must have a sufficient understanding of the corporation’s activities, or at least the ability to quickly gain this understanding, so as to be able to ask the necessary questions and make judgments about risk.
As a loose guide, it is advisable that their understanding be at least roughly proportionate to the extent of the corporation’s data-related activities, so for corporations which regularly process substantial amounts of sensitive data, it would be expected that this corporation’s DPO would have far greater technical expertise than the DPO of a corporation which only occasionally used small and incidental amounts of data.
2. Someone with an in-depth appreciation of the relevant data protection laws. As with above, this is not to say that the DPO must have a legal education (although this is by no means a disadvantage). Rather, a DPO must have a level of professional experience and knowledge in the relevant laws that is proportionate to the corporation’s data-related activities. Therefore, as with above, the DPO of a corporation focused on data processing would be expected to have much greater and industry/practice-specific knowledge of data laws than their counterpart in a corporation that only occasionally used personal data. Furthermore, much of the GDPR is purposely phrased using inexplicit language so as to ensure that no corporation can exploit loopholes to inappropriately avoid duties and obligations. Here, legal skills may be particularly useful as the GDPR’s inexplicit language must not be interpreted as meaning that the GDPR does not impose stringent duties on any undertaking engaged in data processing activities.
Second, who can be DPO, and is there anyone who either should not or cannot take on this role?
1. The DPO may be an existing employee, and indeed such a person may often be the best person, if their current/previous roles have afforded them familiarity with the activity. However, matters are more complex if a corporation wishes to appoint an employee to the DPO role in addition to their existing role, rather than make it their only position. First, the nature of the DPO’s status (for instance, reporting directly to highest level management) means it would be difficult for an employee to fulfil this role alongside a much lower level position. It would also be difficult to ensure and prove that any possible discipline or poor treatment they received for their work in their other capacity is wholly unrelated to their DPO role and does not influence it. Difficult here does not mean impossible, but it is undoubtedly a concern that organisations considering this approach should keep in mind.
The seemingly obvious reply may then be that a member of senior management could take on the role, however this approach also has complications. First, in many corporations, the DPO role may be time-consuming, and it is improbable that a person of high seniority will have ample spare time to devote to this role. Further, the DPO’s other professional duties cannot exist in a conflict of interests with their DPO duties. Therefore, as a rule of thumb, some otherwise suited candidates may not be appropriate for this role, for instance:
- The Human Resources Manager: as the DPO should not also be a controller of personal data, which any HR manager effectively is (even in data processing corporations).
- The CEO: if the CEO is involved in the corporation’s activities to the extent that they have an influential say in determining the corporation’s strategy and methods for data processing, it is very difficult to prove that they can separate their two positions so as to be able to independently scrutinise and critically evaluate their CEO decisions from a DPO perspective.
- The CFO: for the same reasons as the CEO.
- A Central Security Officer or COO: for the same reasons as the CEO.
** However, where someone occupies a senior management position but is, for whatever reason, separated from decision-making and strategising in relation to data processing, they may still be a reasonable candidate for DPO. In any event, this evaluation is corporation-specific and an analysis of the exact circumstances of the proposed individual ought be carried out by another person who understands the demands of the GDPR.
In contrast, existing employees who may be more worthwhile candidates for initial consideration for DPO are:
- General Counsel: provided that they are in a relatively senior position and generally understand the technical data-related activities of the corporation.
- A Compliance Officer: if there is already an employee who is solely concerned with IT security compliance, for instance for the ISO/IEC 27001 standard, or similar, this person may be very well placed to adopt a dual-role as DPO. However, it is rare for small-to-medium enterprises to have such a person in a full-time position, so this route may not be feasible.
2. Nonetheless, it must be noted that regardless of which employee is being considered for a dual-role, the requirements that these two roles do not present a conflict of interest is always applicable. The DPO role can also be outsourced to an externally appointed individual from a suitable law or IT organisation. This approach may be financially suited for smaller firms with only minor engagement in data use, however it should be emphasised that outsourcing the role does not alleviate the corporation of responsibility. Consequently, it must be ensured that an external DPO is still furnished with the same responsibilities, resources, direct communication with management, etc, as an internal DPO would be, and is also free of any potential conflicts of interest.
Overall, despite the guidance given in the GDPR per se and in subsequently released guidance, sizable uncertainty still surrounds the DPO role. Whilst it can be presumed that clarity will come once the GDPR enters into force, corporations would be ill-advised to postpone making this decision in the hopes that any new, major enlightenment will come before May 2018. Conversely, corporations ought not stress overly for fear of unwittingly appointing a candidate that later guidance or rules reveals to be sub-optimal; there is no one-size-fits-all solution or recommendation, and it can be reasonably assumed that the GDPR’s expansive language is designed to be flexible and all-encompassing, rather than to leave room for authorities to unfairly penalise corporations in this regard. Nonetheless, all corporations should keep abreast of any future developments and guidance notes in relation to the GDPR, both in the lead up to its implementation and in the aftermath.
Rather, the best approach for corporations who have yet to appoint a DPO is to consider the guidance that does exist and heavily scrutinise it in relation to their own activities, ultimately making a decision that may not necessarily be the cheapest or most convenient, but is the one that is GDPR compliant and genuinely appropriate for their business.
*** None of the information contained herein should be deemed to constitute legal advice.
About the author: Victoria is a Legal Associate at EPI-USE Nordic who has extensively researched the legal and practical considerations of GDPR implementation for data controllers and data processors. She is currently working on preparing EPI-USE Nordic for GDPR compliance.