Is your company required to have a Data Protection Officer? According to the future General Data Protection Regulation – possibly! It all depends on a specific evaluation of the data your company is processing and to which extent.
Data Protection Officers are a new idea and a consequence of the implementation of the new regulation. The most obvious question is: What is a data protection officer?
What is a Data Protection Officer (DPO)? A DPO is an employee that is responsible for the personal data, and could also be an external consultant, who must have specific professional competences (expert knowledge) regarding the processing of personal data and who must supervise that the company actually implements and complies with the regulation. The DPO must particularly be consulted before systems, that perform automated processing of personal data, are designed, put out to tender, developed or configured to secure that the company complies with the principals of privacy by design and privacy by default.
Is your company required to have a DPO?
Firstly, all public authorities are required to have a DPO (except from the courts). For private companies, a DPO is mandatory in two instances. The first instance is if the core activity of your company is processing of personal data. Not all processing of data is included, but processing of personal data that according to its nature, use or purpose requires regular and systematic surveillance of individuals on a large scale is included. It is still unclear what this implies, but, roughly speaking, it probably means that if the company’s processing of personal data is extensive and significant in quantity or quality, the company is required to appoint a DPO.
Furthermore, your company is required to appoint a DPO, if the core activity of the company is processing of sensitive information on a large scale or information regarding criminal records. Sensitive data is information regarding race, ethnic origin, political views, religious or philosophical persuasions, trade union membership, sexuality and genetic and biometric data.
What is the role of a DPO?
It is important that the DPO is sufficiently independent of the company. In practice, this requirement complicates the appointment. For instance, it will as a rule not be possible to appoint the purchasing manager as the DPO, because of the danger that resources allocated to handling the job as the DPO will be given low priority compared to the purchasing function.
It is also questionable, if appointing the external lawyer of the company is adequate because there is a certain degree of financial connection – and thereby convergence of interests – between the parties and also because the DPO is under obligation to report directly to the supervisory authorities which could collide with the lawyer-client confidentiality.
Nothing hinders the DPO from being employed by the company as long as he is offered a special protection against dismissal and sanctioning pursuant to his position as the DPO. But as mentioned above, it must be carefully considered which position the DPO holds as it may easily lead to conflicts of interest. It will also be possible for companies to appoint an external DPO either alone or together with other companies as long as the DPO is readily available for all of the companies.
Position in the company
Due to his position, the DPO is subject to duty of confidentiality and must report directly to the top management of the company. He is also the contact between the company and the data protection supervisory authority as well as for customers, business partners and employees whose data is being processed by the company. He is also responsible for supervising compliance with the company policies on personal data privacy and that the employees in question are receiving appropriate instructions in this connection.
According to the regulation, a DPO must have ‘expert knowledge’ regarding the processing of personal data and related practice. What ‘expert knowledge’ specifically implies and the further education of the DPO will be discussed in the next blog entry.
How to get started right away
It may seem that the requirements of the General Data Protection Regulation are far into the future. But if you have a look at all the requirements of the companies and public authorities, it is a good idea to get started right away.
Of course, it may be difficult to estimate, if your company is obligated to appoint a DPO. But already at this point, your company can benefit from a thorough review of the company’s procedures regarding the processing of personal data and the employees that will handle the issues regarding the processing of personal data, including whether a DPO must be appointed. It will give you a good starting point for complying with the future requirements regarding the processing of personal data.