Appointment GDPR DPO needed?
When You Need To Appoint A Data Protection Officer (DPO) or GDPR officer?
Most companies are at the moment looking for DPO’s to do DPIA’s… This is because of the new EU General Data Protection Regulation (GDPR) Directive, which is for sure the most important change in data privacy regulation in 20 years. It aims to make Europe fit for the digital age and comes with a lot of Rules and Regulations for the protection of personal data inside and outside the European Union (EU) and affects all companies that save personal data from European citizens.
Big chance this is also applicable to your “data-intensive “company.
So when do you need to appoint a Data Protection Officer (DPO) or GDPR officer to handle with the new rules and to tackle GDPR compliance?
The GDPR is choosing consumer trust ahead of the business’s interests. From a legal perspective, that fosters the objective that the GDPR creates an accountability and transparency demand (specifically to the consent of the Data Subjects), it appears that to be compliant you need to appoint a DPO. However, when carefully reading the GDPR directive, you can conclude it’s not specified when a DPO should be appointed. A soon to be Supervisory Authority will provide us with this answer.
- Data to be provided where Personal Data is collected from Data Subject: the DPO needs to be referenced (GDPR Article 13);
- Information to be provided where personal data have not been obtained from the Data Subject: the DPO needs to be referenced (GDPR Article 14);
- Records of Processing Activities: DPO needs to be referenced, both for the controller as for the processor GDPR Article 30;
- Notification of a Personal Data Breach to the SA: “Communicate DPA contact details” (GDPR Article 33);
- Data Protection Impact Assessment (DPIA): “Controller shall seek the advice of the DPO” (GDPR Article 35);
- Prior Consultation: where the contact details of the DPO will be provided to the SA (GDPR Article 36);
- The GDPR Article 37 Paragraph 1(b) mentions on appointing a DPO: the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;” Note a DPO is referred to as both the data processor and the data controller;
- Article 38: Position of the data protection officer: Passes over the decision on the appointment of a DPO (or not), and provides a position description of the DPO and relevant tasks GDPR Article 38 and 39 Paragraph 1(b).
- Binding Corporate Rules: specifies any DPO’s tasks, if appointed GDPR Article 47);
- Tasks SA will be free of charge for Data Subjects and where applicable, for the DPO GDPR Article 57.
In conclusion, it seems appointing a DPO seems like a wise decision (because of legal obligations), and to start implementing a plan to become compliant with GDPR is a must. However, the impact it will have on your organization will totally depend on the scale of how intensive your data processing is, and the size of your company (in my opinion). It’s good to prioritize and define the budget and resources to appoint. The independent nature of a DPO raises suspicions and fear of whistleblowing as their confidentiality is non-binding. This could indeed become a problem in court or during an investigation.
Nevertheless, The DPO is there to issue opinions when necessary. This can obviously cut both ways when compliance needs to be proven on the lawfulness of processing: your company is guilty until proven innocent. With a possible heavy fine in the prospect of 4% of global turnover or 20 million euros, your company is better taking steps to check if they are processing personal data correctly.
Whatever you choose to do, make sure this choice needs to be documented as part of the GDPR’s underlining accountability principle (GDPR Article 29).
Hope this article was helpful! If you want to know more about how to improve your GDPR compliance? Check out this overview of useful GDPR document templates to make you compliant: