Back to blog

GDPR & Data Protection Officer: When You Need To Appoint One

Data privacy & security

Written by

Published August 9, 2017 · Updated May 28, 2024

GDPR & Data Protection Officer: When You Need To Appoint One

An advertising agency in Europe recently published a job offer for a “Data Privacy Officer”. I imagine the idea was to find someone to tackle GDPR compliance for the agency, and take on the rising number of issues reported by clients about data use and related obligations.

While this agency is the first in a group of companies currently being monitored to see whether they will appoint a DPO, they amusingly got the term wrong as the word “privacy” doesn’t even appear within the GDPR.

All joking aside, it’s clear that a lot of data-intensive companies are starting to wonder how to tackle their potential GDPR obligations, and one of the first questions is whether a DPO might be needed.

The most puzzling mention, in a recent update from a major technology vendor, was this:

“Members of the XXX Group have appointed a data protection officer where such appointment is required by Data Protection Laws and Regulations”

The objective of the GDPR is to foster accountability and transparency within an increasingly commodified data ecosystem. It appears this company has probably read the legal text from a purely compliance perspective.

Others, while carefully studying the text and concluding their obligations would not fall within the specified conditions of when a DPO should be appointed, have been warmly encouraged by their (soon to be) Supervisory Authority to do just that. They probably will and are currently on the lookout, choosing consumer trust ahead of their business’s other interests.

The GDPR on appointing a DPO

Article 37 of the GDPR specifies the conditions under which a DPO should be designated. Paragraph 1(b) states: “the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;”

Note the reference to both data controller and data processor. This means that even if a technology vendor is a processor, acting on behalf of its clients, this is not sufficient reason to decide not to appoint a DPO.

Articles 38 and 39 move beyond the pure decision on Designation of a Data protection officer to describe in detail the position of the DPO and his or her tasks, respectively.

To appoint a DPO – Data Protection Officer – or not

GDPR & data protection officer – other references

Additionally, as the provisions of the GDPR tend to refer to one another, other articles mention when a DPO should be involved.

Typically, think of the following situations:

  • Article 13 on Information to be provided where personal data are collected from the data subject: the DPO needs to be referenced, where applicable;
  • Article 14 on Information to be provided where personal data have not been obtained from the data subject: the DPO needs to be referenced, where applicable;
  • Article 30 on Records of Processing Activities: the DPO needs to be referenced, both for the controller as the processor;
  • Article 33 on Notification of a personal data breach to the supervisory authority: “communicate the name and contact details of the DPO…”
  • Article 35 on Data Protection impact assessment: “the controller shall seek the advice of the DPO…”
  • Article 36 on Prior Consultation: where the contact details of the DPO will be provided to the SA;
  • Article 47 on Binding Corporate Rules (BCRs): which will specify any DPO’s tasks, if appointed
  • Article 57 on the Tasks of the supervisory authorities where their tasks will be free of charge for data subjects, and where applicable, for the DPO.
  • And while at first glance appointing a DPO might seem a straightforward obligation for some, others remain hesitant. The independent nature of the DPO raises fears of whistleblowing as, unlike attorney-client privilege, their confidentiality is non-binding. This could indeed become a problem in court or during an investigation.
    That’s why the DPO for Facebook has all my support, keeping an (ethical?) balance will be challenging imho!

    GDPR & data protection officer – more recommendations

    Thankfully, the Working Party from Article 29, the consultative body we talked about with respect to PrivacyShield, has come out with recommendations in response to a variety of questions that might come up, such as ones related to conflicts of interest, how a DPO should be represented within an international group, etc.

    Their recommendations were first published in December of last year, and then again revised in April to assure they adequately address emerging questions with respect to such an important cornerstone of the GDPR, the person orchestrating accountability. Note that this does not mean that the DPO is responsible.

    Just as the conductor of an orchestra cannot be held accountable for a flute being played badly, a DPO cannot impose a particular point of view. The DPO is there to issue opinions as needed.

    This can obviously cut both ways when compliance needs to be demonstrated, as discussed in a previous blog post on lawfulness of processing: your company is guilty until proven innocent.

    What is there to hide?

    As we move towards the commodification of data, the ultimate competitive frontier will revolve around consumer trust.

    And while debates about data uses and privacy implications can indeed sometimes get awkwardly heated – please explain to me how we all came to think a vacuum cleaner could sell data all by itself? – we’re also witnessing companies which are addressing the issues head on. Meanwhile, still others hide behind lawyerly logic and short-term compliance strategies, if not expensive court battles.

    GDPR & data protection officer: some conclusions

    No one is saying that this is going to be easy, as aligning with the GDPR and optimizing data uses for society at large is a huge challenge.
    No one is saying the GDPR is perfect, but it is a first step towards accountable data use, indeed sunk within a lengthy text of 99 articles and 173 recitals, because this problem is complex.

    Learn about DPO and GDPR

    I’m also not saying that fines of 4% of global turnover or 20 million euros are going to rain down from the sky. Yet, as your company is betting on solving a problem and optimizing processes using personal data, the bits of you and me that make up that personal data have rights. And these rights need someone to be held accountable.
    Whether that person is called a DPO – because of legal obligations – or you leave it to the folks in charge of data governance, security, legal counsel, or whoever, the choice is yours.

    Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps

    Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:

    Download FREE Guide

    Whatever you choose to do, you can’t forget that this choice needs to be documented as part of the GDPR’s underlining accountability principle, of which we are gently reminded by the Working Party from Article 29.

Author

Aurélie Pols

DPO at mParticle

Aurélie Pols designs best data privacy practices: documenting data flows, minimizing data use risks, and striving for data quality. Aurélie follows the money to streamline data trails while touching upon security practices and ethical data uses. She leads her own consultancy, serves as DPO for New York-based CDP mParticle, was part of the EDPS' Ethics Advisory Group and now serves the European Commission as an expert in the Observatory of the Online Platform Economy.

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free

Upcoming live webinar

June 27, 2024

Real-time dashboards in Piwik PRO: A hands-on use case

This summer, we’re introducing new real-time dashboards in Piwik PRO Analytics Suite, empowering our clients to make informed decisions in time-sensitive projects. Would you like to learn how to use them in your daily work? Join our webinar to see how our partner agency, Netlife, used real-time insights to streamline the registration process for a major national event, ensuring a smooth user experience and preventing system breakdowns. Stay for a Q&A session where our experts will address all your questions.

Sign up for this webinar