Under Europe’s General Data Protection Regulations (or “the GDPR”), Controllers and Processors are obliged to appoint Data Protection Officers (“DPOs”) in certain circumstances responsible for facilitating data protection compliance. Additionally, the GDPR includes requirements for the DPO position and defines minimal tasks that must be allocated to the DPO role. In pursuit of preparing for and complying with these requirements, companies need to consider the practical implications of appointing, if not formulating, the DPO role.
While some companies may be able to leverage organizational development specialists to facilitate their preparation efforts, other companies will approach these matters in accordance with their existing compliance governance models, functional roles and practices related to the DPO mandates within the GDPR.
The GDPR defines when a DPO is required
The GDPR requires Controllers and Processors to appoint a DPO in certain circumstances. Most notably for small to mid-size companies required to appoint a DPO, it should be noted the GDPR allows the DPO role to be fulfilled by an employee or a third party retained under a service contract. Additionally with respect to a “group of undertakings” involving multiple Controllers, Processors and processing activities, GDPR allows for the appointment of a single DPO to preside over such business arrangements.
Thus, due consideration in relation to the DPO should account for the responsibilities across the parties involved in such processing activities. The GDPR also allows the appointment of a DPO to represent associations and other groups representing related groups of Data Controllers and Processors.
In all other instances however, companies must appoint a DPO where:
• their core processing activities are carried out on behalf of a public authority or
• where processing activities include, in accordance with their nature, scope and purpose, regular and large scale:
– systematic monitoring, or profiling, of data subjects; such as for direct marketing purposes or
– special categories of personal data or criminal history information.
The GDPR defines the positioning of the DPO role
The GDPR requires Data Protection Officers be properly situated within their respective organization. In addition to being appropriately trained, GDPR also mandates that the DPO be appropriately resourced, independent and protected. Across these matters, the GDPR mandates DPOs:
- shall report to the highest management level, be bound to secrecy and confidentiality obligations and designated on the basis of their:
– professional qualities,
– expert knowledge of data protection law and practices and
– ability to fulfil tasks required by the law;
- must be appropriately supported to carry out the obligatory tasks under the law, especially in relation to:
– any education necessary to maintain their expert knowledge,
– resourced appropriately to carry out their tasks,
– properly (and timely) engaged in all issues related to the protection of personal data and
– given access to the personal data and processing operations and
- independently situated within the organization to avoid:
– receiving instructions from the business regarding the exercise of the obligatory tasks, –
– being dismissed or penalized for performing the tasks required under GDPR or
– the assignment of other tasks or duties in direct conflict to GDPR mandates.
The GDPR defines obligatory tasks for DPOs
The GDPR requires DPOs be allocated with responsibility for data protection compliance, with due regard for the data protection risks applicable to the organization and appropriate based on the nature, scope, context and purpose associated with processing activities. DPOs must be allocated responsibilities to represent the public face of the organization’s data protection compliance expert with outside parties. Additionally, DPOs also serve as the internal data protection advisor and advocate, responsible for socializing employees regarding data protection matters.
The GDPR also mandates that DPOs serve as internal auditors responsible for monitoring compliance efforts, rendering advice regarding compliance matters and facilitating data protection impact assessments required under the law. Specifically, the GDPR requires that the following tasks are allocated to the DPO;
- Serve as the single point of contact for, be made available to and addressable by:
– Supervisory Authorities, as a single point of contact, in relation to all matters related to the processing of personal data, obligatory prior consultation efforts, breach notification mandates and other data protection matters requiring the organization’s cooperation and
– Data Subjects regarding all issues related to the processing of their personal data and the exercise of their Data Protection Rights.
- Inform and advise the organization and employees processing personal data of their obligations under the GDPR and other European Union and Member State data protection laws.
- Provide advice and guidance regarding the implementation, and performance, of Data Protection Impact Assessments performed on behalf of the company.
- Monitor the organization’s compliance efforts in accordance with:
– data protection laws,
– the assignment of roles and responsibilities,
– the establishment or data protection policies and procedures,
– training and awareness efforts for staff involved in processing operations, and
– audits designed to ensure data protection compliance.
Additional Considerations for Compliance Governance Models
In aligning with the GDPR’s mandates for DPOs, companies may consider their compliance governance model in relation to where the DPO is situated within the organization. To highlight these matters further, these models are categorized as centralized, local and some variation, or hybrid, of the two for discussion purposes.
• Centralized Governance Model
Where functional data protection responsibilities are allocated to a single person or team, companies may consider the DPO role is a discrete role within the organization. Consistent with the centralized governance model, the DPO must maintain broad visibility across the organization and is vested with the authority necessary to ensure compliance by all local operations. In this model however, companies should carefully consider the resources, structures and processes necessary to funnel all data protection matters through a single role or team to ensure compliance, while also ensuring the business remains nimble and efficient.
• Local Governance Model
Where compliance decisions are decentralized and made within lower levels of the organization, companies may find situating the DPO closer to operations ultimately offers the DPO a more intimate knowledge of, and can better facilitate compliance from, within operations. For companies with a small number of operations or service lines, the placement of the DPO role within operations may be especially attractive. For example with a more intimate knowledge of processing activities, it is likely the DPO’s advice, advocacy efforts and training efforts will be more informed, targeted and reflective of the business objectives and processes involved. Companies leveraging local governance will need to reconcile their appointment of the DPO within operations with the GDPR’s mandate to ensure the role reports into the highest level of operation’s management.
• Hybrid Governance Model
Companies leveraging hybrid governance models seek the strengths of both centralized and localized governance models. Hybrid models can be especially attractive for companies with multiple business lines, varying processing activities or limited resources. Through a hybrid model, companies may situate the DPO role centrally and allow operations to remain responsible for operational compliance. In this model, DPOs remain in close proximity to senior leadership and are empowered to establish broadly-applicable processing guidelines, risk measurement techniques and thresholds designed to indicate problems or errors within operations. In parallel, this model allows companies to ensure autonomy of local operations; provided they adhere to established guidelines and implement measures designed to demonstrate compliance in accordance with their specific business needs and processing activities. Under the hybrid model, companies should additionally consider the DPO’s broad visibility across operations and establish local operations as major stakeholders in the development of compliance standards and measures responsible for describing their discrete business objectives, educational needs and processing activities.
Additional considerations for existing functions and tasks
Companies should also consider the existing functions and tasks relevant to the DPO role. These considerations can help companies better identify how the role is situated within the organization, identify relevant reporting structures and partnerships or even highlight where existing structures, processes and tasks should be refined in conjunction with the DPO role.
• Legal / Compliance / Privacy
Pending the discrete functions available and responsibilities therein, companies with legal, compliance and privacy resources are generally tasked with establishing the substantive legal requirements related to their processing activities. These functions also commonly allocate these responsibilities across the internal and external parties involved in processing activities. Pending other functional roles allocated with staff development responsibilities, legal, compliance and privacy teams often facilitate the communication and education efforts necessary to ensure employees understand their compliance obligations. Additionally in the absence of a formal risk function, legal, compliance and privacy functions may also design and facilitate risk assessment processes for specific legal matters. When applicable, these risk assessments may be applied broadly across the organization, in the context of existing processing operations, during the design and development phases of new products and services or when establishing new external relationships.
• Information Technology / Information Security
Companies should also consider Information Technology and Information Security (“Information Technology and Security” herein) functions and tasks; especially those related to protecting the confidentiality, integrity and availability of information. Information Technology and Security functions are generally already resourced to establish the technical controls necessary to address risks pertinent to the organization. Relevant to these matters, Information Technology and Security functions generally have existing processes designed to identify and evaluate technical security risks. Pending the maturity, size and complexity of the program, these risk assessment efforts are likely to support information systems managed internally by the company and those managed by third parties. Further subject to the Information Technology and Security existing resources and capabilities, these risk assessment measures may also account for existing, replacement and new systems, related to specific business lines or even discrete processing operations.
• Procurement & Product Development
In relation to the addition of a new partner, technology, product or service, companies should always consider how change impacts their compliance obligations. Changes often create risks and shift compliance burdens after the initial diligence efforts have been completed. Often, companies introduce change due to strategic business goals and may or may not consider the impact of the change to their compliance efforts. Without the appropriate processes in place to identify and evaluate the impact of substantive changes, change can easily introduce risk where the material facts reviewed during their initial diligence efforts are no longer relevant. While companies with discrete procurement and product development functions may be better-prepared to account for these kinds of changes, other companies may consider allocating their DPO with responsibilities to identify and evaluate change to ensure on-going compliance.
Companies should also carefully consider the Operational roles and responsibilities relevant to the DPO. Operations is generally the most knowledgeable about specific processing operations and related activities. Operational representatives are generally mandated to facilitate the underlying business objectives associated with processing operations and activities. Operations generally has the visibility across processing operations to appropriately allocate responsibilities; including local processes, technologies and the internal and external parties involved. This visibility lends support for describing the kinds of personal data needed in support of specific business objectives, the general flow of personal data into, within and from the organization and other matters related to the respective data life cycle. In addition to highlighting the technical and physical controls applicable to processing activities, Operations can also highlight the application of administrative controls relevant to ensuring compliant processing operations and activities; including those related to screening, communicating and educating employees supporting their processing activities. Through illustrating the data flows, Operations is also well-suited to describe where data protection records are established and how they are managed, protected and destroyed. Operations is perhaps the most important stakeholder relative to developing policies, standards and measures which reflect both the company’s business objectives, ensure data protection by design and default and produce evidence necessary to demonstrate compliance efforts.
Authored by: Chris Field, Corporate Privacy Director at Harte Hanks
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.