Article 37 of the European Union’s General Data Protection Regulation (GDPR), outlines the important role that a data protection officer (DPO) plays. The rule states that these professionals must be assigned to organizations that are public authorities (other than courts) that handle EU citizen (“data subject”) personal data “on a large scale” and for which such data processing is a core activity, regardless of the firm’s location.
The primary role of the DPO is to assist the organization with GDPR compliance. As the International Association of Privacy Professionals notes, it’s been estimated that about 28,000 DPOs will be employed by regulated organizations (in order to meet GDPR compliance) when the law goes live in May 2018. While much is written about the GDPR, let’s look at the responsibilities and roles of DPOs.
The responsibilities of the DPO are both anticipatory and proactive. They’re also significant, as the DPO reports directly to the highest executive level of the organization — and punishment for a GDPR breach can be devastating. DPO tasks include overseeing data protection strategy and implementation, taking inventory of data processes, conducting risk gap analyses, conducting security and protection audits, establishing GDPR data protection policy, providing GDPR compliance training (and the change management responsibilities that come with it) to staff, handling incident response and monitoring and reporting on compliance.
A DPO helps ensure the organization supports the data subjects’ right to access their information, right to be forgotten (no over-retention of subject data) and ready portability or delivery of data to subjects on demand. In addition, they are tasked with overseeing a responsive breach notification process: Data protection authorities must be notified within 72 hours of internal awareness of a breach.
The data protection officer must also be an effective communicator. The DPO is the firm’s prime point of contact with the GDPR Supervisory Authority, an EU member state-appointed body responsible for monitoring data protection for that state. Internally, the DPO coordinates data protection by working closely with the data controller (the entity that determines the purpose, conditions and means of subject data processing) and the data processor (who performs processing on behalf of the controller). The DPO also works closely with HR and finance departments, which naturally handle high levels of subject data.
With respect to new technology and risk-add undertakings, the DPO provides critical input to the controller for a Data Protection Impact Assessment document. This assessment includes a description of the planned data processing operations and their purposes, the “necessity and proportionality” of these operations, the risks to data subjects involved in the operations and the measures that will be put into place to address these risks. The assessment is consistent with the GDPR principle of “privacy by design,” which requires that privacy controls be built into the design of systems, rather than as an add-on later.
DPOs are unique subject matter experts, possessing a deep legal knowledge and understanding of all data processing operations while knowing the GDPR inside and out — and also being very familiar with a firm’s IT infrastructure.
Different organizations may take different approaches to the data protection officer role. The DPO may be a dedicated position working within an organization, or firms may seek a DPO as an external service provider. In the latter case, it will likely be typical for such DPOs to contract with multiple client firms at one time. In smaller firms, the chief information security officer (CISO) role may be augmented to include DPO responsibilities. However, there are some concerns with this approach. A conflict of interest may arise between the CISO’s role of worrying about protecting the firm first, and the more transparent role of the DPO, which is beholden to data subjects before the firm. Secondly, the CISO might not possess the range of expertise discussed above.
In any case, selection and appointment of a DPO is a critical activity that many firms must take in response to upcoming GDPR regulations.