Data Protection Officers. It’s a topic that seems to be on everyone’s mind now that we actively start to prepare for the implementation of the GDPR, but who really needs them?
Anyone working with information security management is by this stage well aware of the upcoming EU General Data Protection Regulation. Come to think of it, even those not working with information security management have probably heard of it too, considering the amount of coverage it has gotten. It’s no wonder, really, given that the new regulation will be the biggest data protection regulation to date. Even though it is being set by the European Union, it will affect companies worldwide. This is because together, the 28 EU member states not only represent the world’s largest economy, but are the top trading partner for 80 countries. Effectively, this means that any country dealing with personal data from citizens of the European Union will need to comply with the GDPR.
Soon after the news about the GDPR broke, another abbreviation started popping up everywhere: DPO. Of course, a Data Protection Officer is not a new role per se, but with sudden focus on the legality of data protection, it only makes sense that we start focusing more on the their role. In fact, the International Association of Privacy Professionals originally estimated that the new data protection regulation would require 28,000 DPOs in Europe and the United States. They have now increased that number up to 75,000 new DPO positions, worldwide. 75,000 is a lot of positions to fill, which leads to the question: who needs a Data Protection Officer?
The Fine Print
Contrary to what you may have heard, not all companies will be legally required to hire a DPO. According to the European Union’s Guidelines on Data Protection Officers:
“it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.”
In short, any company which qualifies as a public authority, or in which data processing is a core activity, or inextricably linked to its core activity, must assign a DPO.
However, note that the regulation does not define what constitutes a public authority or body, as the law varies from country to country. It is therefore up to the company in question to know whether they qualify as such. If a company does not immediately fall under the rules that make it mandatory for them to appoint a DPO, the company’s controllers and processors should evaluate whether it’s important or useful for the company to have a DPO.
If you’ve decided to hire a Data Protection Officer, your next step is deciding to what extent you will be hiring one. The most obvious choice is to actually hire a DPO. However, depending on for example the size of your firm, you might find it enough to have a consultant, or even share a DPO with another company. The first option might be the most ideal, as it means they will be fully involved in what the company does and always on-site, but the other two options are just as valid under the new regulation, as long as you are able to reach the DPO at any given moment.
Even if your company does not need to hire a DPO, you’re not quite off the hook. As long as your company processes any kind of data, you need to be familiar with the GDPR, and what it entails. So if you don’t need a DPO, how can you make compliance with the GDPR an everyday practice, without it becoming a bureaucratic mess?
It is our experience at Neupart, that any sort of controlling and compliance can best be achieved with the use of a software tool, rather than relying on manual procedures, spreadsheets and the work of a single employee. So just as we did in our Secure ISMS program suite, we’ve created a tool which makes it easy to understand the GDPR and ensure ongoing compliance with it. A software tool has the benefit of giving you a clear overview of what you need to do exactly, and, more importantly, makes it easy to tick those boxes continually. It also makes it easier for a Data Protection Officer to carry out their job, as it gives them a clear overview of the tasks at hand and tools to educate and incorporate other employees into the process. So whether you employ a DPO or not, if you process personal data, your company will almost certainly benefit from a software product which helps you comply with the GDPR. At the end of the day, it is also important to keep in mind that a DPO is first and foremost a controller and advisor, not the implementer of your data protection; your company will still be responsible for carrying out a range of practices to ensure compliance with the new regulation.