A study by the International Association of Privacy Professionals has found that 28,000 data protection officers (DPO) will be needed in the next two years for companies to comply with the EU’s new General Data Protection Regulation (GDPR). By the time the GDPR comes into force in 2018, in-scope entities will have to have their DPO in place. Competition for DPOs will likely be strong in light of the ongoing shortage of privacy professionals. With this in mind, businesses should start thinking now about how best to recruit, train and resource a DPO and not wait for the GDPR to come into effect.
The GDPR requires data controllers and processors to appoint a DPO when processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. Even where not required, businesses may voluntarily appoint a DPO. This will not only include EU companies but also companies based in the U.S. and elsewhere who fall within the scope of the GDPR and the DPO requirements.
DPOs must possess “expert knowledge of data protection law and practices”, plus have an understanding of the company’s technical and organizational structure and its IT infrastructure and technology. Key tasks include ensuring regulatory compliance; training staff; coordinating with regulators and understanding applicable data processing risks.
Businesses can either assign this role to an existing or new employee provided that the employee’s other professional duties do not create a conflict with his or her new duties as DPO, or businesses can appoint an external candidate under a service contract. A corporate group may appoint a single DPO provided that the person is “easily accessible” for each entity. This means that the DPO must not only be able to speak the local language but also understand and address differences in data protection laws across the Member States in which the business operates.
DPOs must be independent in the performance of their tasks and are not only responsible for managing data privacy compliance, but also reporting any non-compliance to the relevant data protection authority. The role, therefore, is one of internal policeman and whistleblower at the same time, which businesses may, at first, find challenging. Breach of the DPO provisions may lead to huge administrative fines (up to the greater of EUR 10,000,000, or up to 2% of an organizations’ total worldwide annual turnover of the preceding financial year).
Companies should take steps now to determine whether they are subject to the GDPR and if so, whether a DPO must be appointed. Given the significance of privacy compliance today and the potential new administrative fines, even if a business is not required to appoint a DPO, larger companies that regularly process data may wish to consider appointing one in any event in order to assist with GDPR preparations and demonstrate compliance when the new law comes into effect.