The GDPR makes it mandatory for certain companies that control and process the personal data of EU residents to appoint a Data Protection Officer (DPO). However, even when the GDPR does not impose the appointment of a DPO you may find it useful to designate a DPO on a voluntary basis.
When do you have to appoint a DPO?
The GDPR makes it mandatory to designate a DPO if, in particular, your core activity consists of processing operations which require regular and systematic monitoring of data subjects on a large scale. This might concern you. But what does this really mean? The GDPR poses three requirements when a DPO is mandated. We will examine them one by one.
• Your core activity
This means that if the key operations necessary to achieve your goals require the processing of personal data, you have to appoint a DPO. For instance, a hospital needs to process data to provide health care, so it’s part of its core activity and it needs to appoint a DPO. On the other hand, if you process data for HR purposes because you have employees in the EU then it will only be a secondary function to your main activity.
• Regular and systematic monitoring
This includes all forms of internet tracking that you may carry out on a regular basis. Recital 24 of the GDPR defines monitoringto include the potential subsequent use of personal data processing techniques which consist of profiling an individual, particularly in order to make decisions regarding such individual or for analyzing or predicting their personal preferences, behaviors and attitudes. Recital 30 goes on to add that this includes the use of online identifiers provided by an individuals’ devices, applications, tools and protocols, such as IP addresses, cookies and other identifiers from the moment that such identifiers, when combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them.
Regular, in this context is wide, it includes the following:
– Ongoing or occurring at particular intervals for a particular period
– Recurring or repeated at fixed terms
– Constantly and periodically taking place
Systematic should also be interpreted broadly as it includes:
– Occurring, according to a system
– Pre-arranged, organized or methodical
– Taking place as part of a general plan for data collection
– Carried out as part of a strategy
• On a large scale
Concerning the large scale requirement, the GDPR gives no definition as to what a large scale is – there is no precise number. You should take into account the following factors in order to determine whether the processing is carried out on a “large scale”:
– The number of individuals concerned – either as a specific number or as a proportion of the relevant population
– The volume of data and / or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– The geographical extent of the processing activity
Recital 91 of the GDPR particularly points to those operations that process a considerable amount of personal data and which could affect a large number of individuals and which are likely to result in high risk to the rights and freedoms of individuals. For example, where a new technology is used on a large scale or makes it more difficult for individuals to exercise their rights under the GDPR.
Technically, the circumstances in which the GDPR requires the appointment of a DPO are narrow. But as with every piece of legislation, particularly EU legislation, there is the text and then there is what reads between the lines of the text. This “sub-text” is supported by regulatory guidance, opinions and recommendations. Looking at such regulatory guidance at the EU Member State level as well as the opinion of the Article 29 Working Party (an informal gathering of representatives of all EU Member States data protection authorities, now replaced by the European Data Protection Board under the GDPR) with respect to the DPO It is clear that (although the GDPR only calls out certain activities as mandating the appointment of a DPO) the EU regulators consider the voluntary appointment of a DPO as recommended good practice, if only to have a point person within an organization to coordinate ongoing compliance efforts and respond to regulators and individuals’ queries about the organization’s data processing activities.
So Why should I appoint a DPO even though it is not required?
Even if you don’t think you are required to appoint a DPO it’s still a good idea. Why? Because most organizations in the U.S., particularly those without a physical presence in the EU, have no in-house expertise in EU data protection laws, including the GDPR. Understanding the GDPR goes beyond the mere reading of the text of the legislation, which is no easy task in itself given that the GDPR isn’t always well drafted and its provisions are not easy to convert into actionable items and deliverables. Understanding the GDPR also requires the review of the various guidance, opinions and recommendations issued by both EU and Member State regulators interpreting the text. In addition, in more than 50 areas of the GDPR, the EU regulator opens the opportunity for individual Member States to pass supplemental legislation at the national level (the so-called “national derogations“, see our U.S. law firm member’s recent article on this topic here).
The interplay of EU and national data protection legislation makes the task of overseeing the compliance efforts of any organization rather complex. Most U.S.-based organizations aren’t equipped internally to take that on, and to translate EU data protection legal requirements into actionable tasks for them to operationalize. Hiring a DPO, or other dedicated data protection manager to assist with that effort is therefore, if not required, at least highly recommended. For a U.S.-based organization, the right type of help in that area includes an individual who not only understands EU law, but also U.S. privacy laws and regulations, so that the mission of the DPO or data protection manager would be to help the organization manage its privacy compliance roadmap implementation both in the U.S. and the EU.
It is important to note though that you don’t need that DPO to be an employee of your organization. Depending on the size of your organization and the complexity and extent of its processing activities, it may also not warrant making such an assignment a full time job. A number of smaller organizations have engaged such person on an outsourced retainer basis via a services engagement.
For more information on what is expected in the role of a DPO we invite you to consult the Article 29 Working Party opinion here. Please also read here our article on why it is important to retain EU privacy counsel to advise on EU data protection law.
Remember, appointing a DPO will increase your chance of complying with the GDPR and other EU and national data protection laws (there are quite a few, besides the GDPR!), not just now, but on an ongoing basis, ensuring that you not only understand your current responsibilities and obligations as an organization, but also stay on top of them as the law evolves. Most and foremost, it will help you avoid severe administrative penalties that come with failing to comply with the GDPR.
If you are based in the U.S. and would like to know more about our GDPR practice and our DPO Services please view our U.S. law firm member’s GDPR page here.
This article was written with the collaboration of Marie-Victoire Wickers