Decoding the data protection officer role under GDPR

Data protection officers may soon become a staple in many multinational companies, thanks to the European Union’s General Data Protection Regulation set to take effect in May 2018.

Although some European jurisdictions—Germany, France, Hungary, Slovenia, Russia, and Poland—have long mandated or have strongly encouraged the appointment of a data protection officer (DPO), no standardized framework for the role has ever existed. “The EU General Data Protection Regulation means that the role of the data protection officer will at long last be given a Pan-European legislative construct,” says Robert Bond, a partner at law firm Bristows in London.

Broadly speaking, the GDPR marks the most sweeping changes to EU data privacy laws in more than 20 years. The result is a harmonized set of regulations across the European Union that govern how companies collect or process personal data on its citizens.

One of the GDPR’s many requirements is that companies whose “core activities” include the processing of “special categories” of personal data on a “large scale” must designate a DPO. But decoding exactly what those terms mean still has many flummoxed. “There is quite a large margin of interpretation there,” says Jon Baines, chair of the National Association of Data Protection Officers.

To help cut through the confusion, the Article 29 Data Protection Working Party (WP29) issued final guidance interpreting elements of the GDPR. In that guidance, the WP29 defined “core activities” to mean “the key operations to achieve the [data] controller’s or [data] processor’s objectives,” including activities where the processing of data “forms an inextricable part of the controller’s or processor’s activity.”

For example, processing patients’ health records is a core activity of a hospital and, therefore, hospitals must designate DPOs. The same applies to the processing of customer data in the regular course of business by an insurance company or bank.

When determining whether processing is carried out on a large scale, the WP29 recommends taking into consideration the following factors:

The number of data subjects concerned, either as a specific number or as a proportion of the relevant population;

The volume of data and/or the range of different data items being processed;

The duration, or permanence, of the data processing activity; and

The geographical extent of the processing activity.

Recent analysis shows that many organizations still haven’t appointed a DPO. A survey of 500 IT decision makers conducted by Varonis Systems assessing views on GDPR found that half of respondent organizations do not currently have a DPO or equivalent role.

DPO knowledge and skills. The GDPR specifies that the DPO have “expert knowledge of data protection laws and practices” but does not define what that means. Such uncertainty has generated a lot of back-and-forth debate as to whether the appointed DPO needs to be a lawyer.

“The EU General Data Protection Regulation means that the role of the data protection officer will at long last be given a Pan-European legislative construct.”
Robert Bond, Partner, Bristows

The key question that many in the privacy community are grappling with is, “Can you have a thorough and complete knowledge of GDPR without being a lawyer?” says Sam Pfeifle of the International Association of Privacy Professionals. “We at the IAPP don’t think you have to be a lawyer necessarily, but you definitely have to have a strong understanding of how privacy law works,” he says.

Many certification bodies train and certify individuals to better understand privacy law and regulation. One of those is the IAPP’s Certified Information Privacy Professional - Europe (CIPP/E).

As cited by the WP29 guidance, other relevant skills and expertise of DPOs include:

Understanding of the processing operations carried out;

Understanding of information technologies and data security;

Knowledge of the business sector and the organization; and

Ability to promote a data protection culture within the organization.

POSITION OF THE DPO

Below is an excerpt from the Article 29 Data Protection Working Party's Guidelines on Data Protection Officers, describing the DPO position.
 
3. Position of the DPO
 
3.1. Involvement of the DPO in all issues relating to the protection of personal data
 
Article 38 of the GDPR provides that the controller and the processor shall ensure that the DPO be ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data.’ It is crucial that the DPO is involved from the earliest stage possible in all issues relating to data protection. In relation to data protection impact assessments, the GDPR explicitly provides for the early involvement of the DPO and specifies that the controller shall seek the advice of the DPOwhen carrying out such impact assessments. Ensuring that the DPO is informed and consulted at the outset will facilitate compliance with the GDPR, ensure a privacy by design approach and should therefore be standard procedure within the organisation’s governance. In addition, it is important that the DPObe seen as a discussion partner within the organisation and that he or she is part of the relevant working groups dealing with data processing activities within the organisation. Consequently, the organisation should ensure, for example, that:
The DPO is invited to participate regularly in meetings of senior and middle management;
His or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice;
The opinion of the DPO must always be given due weight. In case of disagreement, the WP29 recommends, as good practice,to document the reasons for not following the DPO’s advice;
The DPO must be promptly consulted once a data breach or another incident has occurred. Where appropriate, the controller or processor could develop data protection guidelines or programmes that set out when the DPO must be consulted.
3.2. Necessary resources
 
Article 38(2) of the GDPR requires the organisation to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.’ The following items, in particular, are to be considered:
Active support of the DPO’s function by senior management (such as at board level);
Sufficient time for DPOs to fulfil their duties. This is particularly important where the DPO is appointed on a part-time basis or where the employee carries out data protection in addition to other duties. Otherwise, conflicting priorities could result in the DPO’s duties being neglected. Having sufficient time to devote to DPO tasks is paramount. It is a good practiceto establish a percentage of time for the DPO function where it is not performed on a full-time basis. It is also good practice to determine the time needed to carry out the function, the appropriate level of priority for DPO duties, and for the DPO (or the organisation) to draw up a work plan.
Adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate;
Official communication of the designation of the DPO to all staff to ensure that their existence and function is known within the organisation;
Necessary access to other services, such as Human Resources, legal, IT, security, etc., so that DPOs can receive essential support, input, and information from those other services;
Continuous training. DPOs should be given the opportunity to stay up to date with regard to developments within data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.
Given the size and structure of the organisation, it may be necessary to set up a DPO team (a DPO and his/her staff). In such cases, the internal structure of the team and the tasks and responsibilities of each of its members should be clearly drawn up. Similarly, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client.

In general, the more complex and/or sensitive the processing operations, the more resources must be given to the DPO. The data protection function must be effective and sufficiently well-resourced in relation to the data processing being carried out.
 
Source: Article 29 Data Protection Working Authority.

A DPO needs to know what personal data is being collected and for what products and services, how that data is being used, and where it’s being stored. A lawyer hired externally might not have as good of a grasp on what the business is doing with the data as someone recruited in-house. “To me, that’s the biggest focus you need to think about when you’re looking for a DPO,” says Thomas Fischer, chief security advocate at Digital Guardian.

A legal background in a DPO role is not the only consideration companies are currently weighing. In the GDPR survey conducted by Varonis, of the 83 percent of respondents whose organization currently has, or is planning to appoint, a DPO, 47 percent said that they would expect the DPO to have a primarily IT-based professional background.

Similarly, a recent survey carried out by the IAPP of nearly 900 privacy professionals found that the DPO is more likely to be someone from information-security or IT (25 percent) or compliance (26 percent) as opposed to someone from a legal background (16 percent), “suggesting that professionals have so far not been required to have a law degree to serve as DPOs,” the report stated.

This may explain why median salaries for DPOs ($106,500) are slightly lower than the overall median ($115,000), which factors in the higher salaries of privacy professionals with a legal background, the report stated. The median salary of DPOs is also weighed down by the role’s prevalence among EU and Canadian respondents, who on average earn lower salaries than their U.S. counterparts. DPOs in the United States are particularly well compensated, at a median salary of $148,000, versus $130,000 for those who do not have DPO responsibilities.

DPO tasks. Other tasks the DPO must fulfill, as described in Article 39 of the GDPR, include:

Inform and advise the organization and its employees of their obligations under data protection law;

Monitor compliance with data protection laws and with the internal policies of the company as it relates to the protection of personal data, including assigning responsibilities; awareness-raising and training of staff involved in processing operations, and related audits;

Provide advice regarding the data protection impact assessment and monitor its performance;

Cooperate with the data protection authorities and act as the point-of-contact on issues relating to processing.

Because the GDPR requires that DPOs interface with both data subjects and regulators, communication is also an essential skill. “Being able to explain very complex and context-specific terms and ideas to a broad audience is really important in this role,” Pfeifle says.

DPO independence. Although the GDPR does not restrict DPOs from holding other roles, it does expressly require that no other tasks and duties give rise to a conflict of interest, meaning that the DPO cannot hold a position with responsibility for determining the purpose and the means of the processing of personal data. This includes senior-management positions—such as the chief executive, chief operating officer, chief financial officer, or head of marketing, HR, or IT.

Other safeguards put in place to ensure independence over the role require that the DPO report to senior-level management; cannot receive instructions by controllers or processors regarding the exercise of tasks; and cannot be dismissed or terminated as it relates to the performance of the DPO role. These requirements apply whether the DPO is appointed on a mandatory or voluntary basis.

The WP29 guidance recommends that the DPO be located within the European Union, even if the controller or the processor is not established in the European Union. In some circumstances where the controller or the processor has no establishment within the EU, however, a DPO may be able to carry out its activities more effectively if located outside the European Union, the guidance stated.

With the enactment of GDPR, the DPO role is new to many companies, and so it remains unclear how this evolving function will interact with other departments and what the median salary will be for this position over the coming year as the number of DPOs rapidly expands. “There is still definitely a lot of uncertainty,” Pfeifle says. “With a year to go, most major organizations still aren’t settled on what they’re going to do.”