When the General Data and Protection Regulation (GDPR) came into effect in May 2018, data protection was fundamentally changed forever. The goal of the GDPR was to give European citizens more control over their data, and the law had a major impact on businesses as well. Any company that handles the data of European citizens is subject to the GDPR, even if they are not based in the EU.

With the GDPR came a new position required by law for companies that process sensitive data on a large scale, or that involve large scale, systematic and regular monitoring. A Data Protection Officer (DPO) is tasked with enforcing the GDPR laws surrounding data and practices within a company.

In this article, we will break down if you need a DPO, what you should look for when appointing one, and what their duties are.

Does my business need a Data Protection Officer?

Under the GDPR, you must appoint a DPO if your business involves any of the following:

• You are a public authority or body (except for courts acting in their judicial capacity)
• Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking)
• Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This list applies to both data controllers, and data processors. Most small businesses do not need to appoint a DPO unless their core focus is data collection or storage. 

You can also voluntarily appoint a DPO, even if one is not required for your company. If you do decide to appoint a DPO of your own accord, it is important to note that the same requirements and tasks will apply had a DPO been mandatory. 

Even if you are not required by the GDPR to appoint a DPO, it is vital to ensure that your company has sufficient resources and staff to fulfill your obligations under the GDPR. A DPO can further help you by advising and monitoring compliance, which is why some companies have opted to appoint one voluntarily. A DPO can play a key role in your business’ data protection structure and can help improve accountability. 

Who should you appoint as a DPO?

The GDPR does not include a list of DPO credentials, however Article 37 does require for a data protection officer to have expert knowledge on data protection laws and practices. The regulation also stipulates that the DPO’s expertise should align with how the company processes data, and the level of data protection that is required.

A DPO can be a current member of staff, or professional data privacy advisor can be brought on as an external DPO. Any organizations that are related may use the same DPO to oversee data protection collectively, as long as the DPO is easily accessible to anyone in the related organizations. Additionally, the DPO’s information needs to be public and provided to any regulatory oversight agencies. 

It is vital that your DPO does not have a conflict of interest, meaning that their current duties and responsibilities do not conflict with their monitoring responsibilities. For example, an organization's legal counsel cannot be made a DPO as they may represent the company in legal proceedings. Therefore, they cannot accurately fulfill the duties of a DPO. Senior management and department heads may also have a conflict of interest. This may reduce the list of internal candidates for the role of DPO.

Failing to follow the requirements for appointing a DPO comes with hefty fines. Companies that violate this are subject to $10 million in fines or two percent of the company’s worldwide annual turnover, whichever is higher. 

Hiring a great DPO requires not only someone who is very familiar with data protection law, but someone who also has a good understanding of how your company functions on all levels. A DPO needs to be able to ensure internal compliance, and alert the authorities in an instance of non-compliance regardless of if the company will face a large penalty.

What are the duties of a DPO?

A data protection officer is responsible for overseeing an organization’s data protection strategy and implementing it. According to Article 39, a DPO’s responsibilities include:

• Training employees regarding the GDPR compliance requirements
• Serving as a point of contact between the organization and the relevant supervisory authorities
• Training staff involved in data processing
• Maintaining records of all data processing activities conducted by the company, which must be made public upon request
• Conducting regular audits and assessments to ensure GDPR compliance, and advising the company on where improvements may be needed
• Responding to data subjects in order to inform them as to how their data is being used, and what the company is doing to protect their data
• Ensuring that data subjects’ requests to see copies of their personal data or to have their personal data removed are responded to or fulfilled

As you can see, the list of duties is long and tasks can be complex. For this reason, there are a number of things a company must do in order to support their DPO. An organization must ensure the following:

• The DPO is involved with all matters involving data protection
• The DPO reports to the highest level of management (i.e. board level)
• Accurate resources are provided to the DPO to enable them to meet their GDPR obligations. This may include things such as extra staff, dedicating more of the budget to data protection, sufficient time, et cetera
• The DPO is given appropriate access to personal data and processing activities
• Access is given to the DPO regarding other services within the company, when appropriate
• The DPO operates independently from the rest of the organization and is not penalized or dismissed for performing their required tasks
• The details of your DPO are recorded as part of your processing activities

Working successfully with your DPO is a two-way street that requires honesty, trust, and sufficient resources. Finding the right DPO who understands both your organization and GDPR compliance may take some time, but is certainly worth it.

Do I need a data protection policy?

If you are required to employ a DPO, then you should also have a data protection policy in place as outlined in Article 5 of the GDPR. A data protection policy is an internal document that explains GDPR requirements to employees and also states your company’s commitment to compliance.

It is important to make the GDPR understandable to your staff, as most people are not data protection experts. By creating a data protection policy, you can outline in simple terms how the GDPR applies to employees and what their obligations are. Ensuring everyone understands what is expected of them is a surefire way to ensure compliance.

Having a data protection policy in place also shows that you are committed to GDPR compliance, and is often the first piece of evidence a regulator will look for to see if your company takes the GDPR seriously. Being able to demonstrate compliance is vital when it comes to potential regulatory investigations. 

A data protection policy should include the following information:

• Definitions of key terms regarding GDPR
• The intended purpose of the policy
• Explain the GDPR’s six principles of data processing
• State the scope of GDPR and the effect it will have in your company
• Outline the eight data subject rights
• Provide the name and contact information of your DPO

Should you be at a loss as to how to create your own data protection policy, there are various online services that can help you create one from a template. If you already have a DPO, you can ask for their assistance in creating a clear and concise data protection policy.

Conclusion

All in all, having a data protection officer and a good data protection policy in place are now necessary parts of doing business in the European Union. Lack of compliance can mean devastating penalties for organizations, so it’s important to understand the law and make sure you are following it.

During the first year of GDPR, authorities issued fines totalling €56 million for GDPR breaches, and it is largely expected that regulation will only become tighter over time. To be fair, €50 million of that total was for Google’s violation of the GDPR, but that just goes to show how serious regulators are about this new law. 

A study by advisory firm RSM from this summer has shown that 30% of European companies are not GDPR compliant, and that doesn’t include the many international companies that now fall under this law. There is still a long way to go before GDPR compliance is followed by every company. 

Data protection and data privacy are hot topics, and as time goes by more laws will come into effect that promote stronger regulations surrounding these topics. Although we only have the GDPR for now, it’s reach has been international. It will be interesting to see what new regulations will become law in the future.