Articles 37 and 38 of the General Data Protection Regulation (GDPR) provide information on the principles and impartiality of the critical data protection officer (DPO) role, specifying the high-level rules on what can and can’t be done. But like most of the GDPR, it leaves wide open the interpretation of the how and when it is appropriate to have a DPO.
Article 29 Working Party has provided much-needed guidance on this subject, and we have been told which roles can’t hold DPO responsibilities (such as the CEO and Marketing Director, due to potential conflicts of interest). However, it does not address the first question on every organization’s lips: “Do I need to appoint an independent DPO in the first place, and if yes, when?”
The answer lies in the organization itself, or more specifically, the types of data processing activities it undertakes. For example, if you process large quantities of EU personal data (such as a small US-based web profiling firm that tracks IP addresses or web cookies for a French utility website to provide customer website stickiness), or if you hold sensitive personal records like medical histories, then your organization qualifies under GDPR rules and you therefore need to allocate someone to manage the DPO responsibilities (note: the DPO does not necessarily have to be directly employed by the organization, just qualified to hold the role).
Like the applicability of GDPR itself, the DPO role is not dependent upon number of staff or size of turnover, which is why many of the UK’s 5.7 million small-to-medium sized organizations qualify for GDPR (55 million across the EU), and why so many other organizations around the world that provide services into Europe are busy preparing themselves for GDPR compliance. This makes GDPR a truly global regulation and its implications far-reaching. For example, if as an EU citizen I wanted to exercise my rights under GDPR with an organization based in Delhi, then I’m entitled to this right (assuming my personal data is processed there), and the organization has to uphold my request.
Depending upon the size of your organization and the level of processing activities you undertake, you may choose to nominate an individual with responsibility, split the responsibilities among different roles, or even outsource the role externally. However, the only stipulation is that the DPO must be truly independent and understand the systems and processes involving personal data and/or deliver services to EU citizens and, crucially, be qualified or experienced in data protection. This is obvious when you consider the unique nature of advice given and the difficulty in interpretation of the GDPR rule book. It also precludes the role being held by a lawyer; as important it is to understand the law, it is equally important to be able to implement the law within your organization.
So, every DPO has rather a difficult job to do. DPOs need to understand the implications of the law within your organization, uphold the rights of individuals and provide careful advice surrounding the implementation of the rules. Get this wrong, and you could end up in court or face huge financial penalties. Of course, this is naturally dependent upon how much data you are processing or perhaps the risks your systems face from its daily processing activities. In other words, if your systems for processing data are complicated and stretch back to the Doomsday book – you have a lot of work to do. Conversely, if you process small amounts of EU personal data, then the impact of GDPR is nominal. The key to appointing your DPO is choosing an individual who understands law, security and privacy risk. You need someone who can determine the difference between a business decision and a true privacy/security risk (e.g., consent, rights or data encryption), and has the ability to make crucial judgements on what could attract unwanted regulator attention or cost the business in loss of trade or a missed opportunity.
The key to this role, then, not only lies in finding a knowledgeable, balanced individual who is sensible under pressure, but also an individual who understands the principles of privacy and security, can act with integrity to protect the rights of an individual, and preferably can advise on protecting personal data to avoid any harm to that individual.
Above all, whether you outsource, co-source or hire a DPO (or contactor), my strong advice is you pick someone who understands GDPR, risk and controls, and has experience in implementing mechanisms that will allow your organization to make appropriate and proportionate risk assessments (think privacy by design), and realistic recommendations that will balance the cost of compliance in doing business against the cost of growing the business.
Good luck in your search, and take your time to find the right solution for your organization.
Editor’s note: For more ISACA resources on GDPR, visit www.isaca.org/gdpr.
Steve Wright, Data Privacy & Information Security Officer, John Lewis Partnership
[ISACA Now Blog]