Who needs a DPO?
The European Data Protection Board (EDPB) has announced a Pan EU coordinated enforcement action by 26 separate Data Protection Authorities (DPA) on the designation of Data Protection Officers (DPOs).
This ‘action’ will address the status of DPOs within their organization, including whether they have the resources to carry out their duties under Articles 37-39 GDPR. More than 500,000 organizations have registered DPOs across Europe, so hundreds of thousands of businesses will receive DPO questionnaires to identify whether a formal investigation and further follow-ups are required.
The EDPB has described the importance of the role of the DPOs “as intermediaries between DPAs, individuals and the business units of an organization, DPOs have an essential role in contributing to compliance with data protection law and promoting effective protection of data subject rights.”
Although many affected businesses will be auditing the remit for their DPO, others might be wondering if they need a DPO function, and what it means.
What does a DPO do?
A DPO is involved in all issues which relate to the protection of personal data and they have a special status within an organization. The DPO’s job is to oversee every part of data processing and ensure that it complies with relevant regulations to such processing. This involves monitoring the personal data from the moment it is collected to the moment it is erased.
The DPO advises on data protection obligations, monitors compliance, advises on Data Protection Impact Assessments (DPIA) and serves as a contact point for the DPA. DPOs don’t make decisions, rather they oversee and advise on how to comply with the laws.
Under GDPR Article 38 the DPO must not be disciplined or dismissed for carrying out their duties. They must have the necessary time and resources to carry out their role, and are required to report to the highest level of management within the organization. The DPO is a link between the organization and the regulator; they must operate independently within the business.
Avoiding Conflict of Interests
The DPO acts as an ombudsman, who has been appointed to look into complaints from individuals and regulators. It is therefore essential that they are independent, free and impartial.
Many organizations struggle with striking the right balance of independence their DPO should have. The job is often fractional, and individuals appointed within an organization likely wear other hats. Within smaller companies, it is common for CEOs, CISOs or GCs to designate themselves 'DPO'.
Conflicts of interest concerning Data Protection Authorities can arise as a result.
To ensure that DPOs remained impartial and protected from internal pressure, CNIL published a further clarification in 2021. They explained that the DPO may perform other duties within the organization. However, in the context of their other duties, they should not have decision-making power or report into anyone who decides over the determination of the purposes and means of processing. In organizations, it is typical that many roles make decisions on how personal data is used and why. Whether it be a technology lead, an information security officer or even a governance executive. The DPO should be separated from a reporting line into any role deciding the use of personal data. Above all else, DPOs may not be "judge and jury" over people's data.
Who needs a Data Protection Officer?
Under GDPR Article 37, any Controller or Processor carrying out regular monitoring of data subjects on a large scale within the EU requires a DPO. They must designate a DPO with expert knowledge of data protection law and practices and the ability to fulfill the tasks prescribed under GDPR Article 39. The company must publish the DPO contact details and communicate them to their designated DPA.
Even businesses headquartered elsewhere need a DPO if:
The company is established in the EU
The company offer goods and services in the EU
The company monitor the behavior of people in the EU
The UK has the new Data Protection and Digital Information Bill, which seeks to be a “new common-sense-led version of the EU’s GDPR.” This Bill will replace the DPO role with an obligation to appoint a “Senior Responsible Individual”. While the requirement that the individual be an executive would seem to sit uneasily with the independence required of a DPO, the Senior Responsible Individual would be required to recuse themselves from any decision that involved a conflict of interests.
US & Canada
Although any US business carrying out processing in the EU is required to have a DPO, the recently passed US state Privacy Acts (CA, UT, CO CT, VA) do not include a requirement for businesses to appoint a DPO.
CCPA/CPRA do require that all individuals responsible for handling consumer inquiries regarding privacy practices or compliance with the CCPA/CPRA are informed of all their legal requirements. Whether this signifies an implicit obligation to create a ‘pseudo-DPO’ role under California law is still to be defined.
Canada’s PIPEDA requires businesses to appoint a person responsible to ensure compliance. The law doesn’t go further in requirements, but it makes clear to companies that meeting the accountability principle means having someone take care of data protection seriously.
Do you need a DPO?
Even if a business is not legally required to appoint a DPO, it is prudent that all businesses processing personal data should have someone who takes a similar role to a DPO. Although it could be a challenge to ensure true independence, every business should have an individual to promote data protection in the organization. Having someone in the business who is able to take on many of the DPO responsibilities, including identifying processing activities, analyzing the activities, checking compliance and informing, advising, and issuing recommendations to the business.
All businesses still need to meet all the legal requirements for compliance, which is a challenge as privacy regulations, data use methods and technology are all moving at an accelerated rate. Having a person dedicated to protecting users’ data, who holistically understands the data processing operations in the company, and data protection laws will avoid many of the current pitfalls, but also help avoid regulatory whiplash.
(For more information, the IAPP publish a DPO toolkit here, and the ICO gives further DPO tips here)