GDPR & Data Protection Officer: When You Need To Appoint One

Written by Aurélie Pols

Published August 09, 2017

An advertising agency in Europe recently published a job offer for a “Data Privacy Officer”. I imagine the idea was to find someone to tackle GDPR compliance for the agency, and take on the rising number of issues reported by clients about data use and related obligations.

While this agency is the first in a group of companies currently being monitored to see whether they will appoint a DPO, they amusingly got the term wrong as the word “privacy” doesn’t even appear within the GDPR.

All joking aside, it’s clear that a lot of data-intensive companies are starting to wonder how to tackle their potential GDPR obligations, and one of the first questions is whether a DPO might be needed.

The most puzzling mention, in a recent update from a major technology vendor, was this:

“Members of the XXX Group have appointed a data protection officer where such appointment is required by Data Protection Laws and Regulations”

The objective of the GDPR is to foster accountability and transparency within an increasingly commodified data ecosystem. It appears this company has probably read the legal text from a purely compliance perspective.

Others, while carefully studying the text and concluding their obligations would not fall within the specified conditions of when a DPO should be appointed, have been warmly encouraged by their (soon to be) Supervisory Authority to do just that. They probably will and are currently on the lookout, choosing consumer trust ahead of their business’s other interests.

The GDPR on appointing a DPO

Article 37 of the GDPR specifies the conditions under which a DPO should be designated. Paragraph 1(b) states: “the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;”

Note the reference to both data controller and data processor. This means that even if a technology vendor is a processor, acting on behalf of its clients, this is not sufficient reason to decide not to appoint a DPO.

Articles 38 and 39 move beyond the pure decision on Designation of a Data protection officer to describe in detail the position of the DPO and his or her tasks, respectively.

GDPR & data protection officer – other references

Additionally, as the provisions of the GDPR tend to refer to one another, other articles mention when a DPO should be involved.

Typically, think of the following situations:

  • Article 13 on Information to be provided where personal data are collected from the data subject: the DPO needs to be referenced, where applicable;
  • Article 14 on Information to be provided where personal data have not been obtained from the data subject: the DPO needs to be referenced, where applicable;
  • Article 30 on Records of Processing Activities: the DPO needs to be referenced, both for the controller as the processor;
  • Article 33 on Notification of a personal data breach to the supervisory authority: “communicate the name and contact details of the DPO…”
  • Article 35 on Data Protection impact assessment: “the controller shall seek the advice of the DPO…”
  • Article 36 on Prior Consultation: where the contact details of the DPO will be provided to the SA;
  • Article 47 on Binding Corporate Rules (BCRs): which will specify any DPO’s tasks, if appointed
  • Article 57 on the Tasks of the supervisory authorities where their tasks will be free of charge for data subjects, and where applicable, for the DPO.

And while at first glance appointing a DPO might seem a straightforward obligation for some, others remain hesitant. The independent nature of the DPO raises fears of whistleblowing as, unlike attorney-client privilege, their confidentiality is non-binding. This could indeed become a problem in court or during an investigation.

That’s why the DPO for Facebook has all my support, keeping an (ethical?) balance will be challenging imho!

GDPR & data protection officer – more recommendations

Thankfully, the Working Party from Article 29, the consultative body we talked about with respect to PrivacyShield, has come out with recommendations in response to a variety of questions that might come up, such as ones related to conflicts of interest, how a DPO should be represented within an international group, etc.

Their recommendations were first published in December of last year, and then again revised in April to assure they adequately address emerging questions with respect to such an important cornerstone of the GDPR, the person orchestrating accountability. Note that this does not mean that the DPO is responsible.

Just as the conductor of an orchestra cannot be held accountable for a flute being played badly, a DPO cannot impose a particular point of view. The DPO is there to issue opinions as needed.

This can obviously cut both ways when compliance needs to be demonstrated, as discussed in a previous blog post on lawfulness of processing: your company is guilty until proven innocent.

What is there to hide?

As we move towards the commodification of data, the ultimate competitive frontier will revolve around consumer trust.

And while debates about data uses and privacy implications can indeed sometimes get awkwardly heated – please explain to me how we all came to think a vacuum cleaner could sell data all by itself? – we’re also witnessing companies which are addressing the issues head on. Meanwhile, still others hide behind lawyerly logic and short-term compliance strategies, if not expensive court battles.

GDPR & data protection officer: some conclusions

No one is saying that this is going to be easy, as aligning with the GDPR and optimizing data uses for society at large is a huge challenge.

No one is saying the GDPR is perfect, but it is a first step towards accountable data use, indeed sunk within a lengthy text of 99 articles and 173 recitals, because this problem is complex.

I’m also not saying that fines of 4% of global turnover or 20 million euros are going to rain down from the sky. Yet, as your company is betting on solving a problem and optimizing processes using personal data, the bits of you and me that make up that personal data have rights. And these rights need someone to be held accountable.

Whether that person is called a DPO – because of legal obligations – or you leave it to the folks in charge of data governance, security, legal counsel, or whoever, the choice is yours.

Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps

Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:

Whatever you choose to do, you can’t forget that this choice needs to be documented as part of the GDPR’s underlining accountability principle, of which we are gently reminded by the Working Party from Article 29.