One of the politically most contentious innovations of the General Data Protection Regulation (GDPR) is the obligation to appoint a Data Protection Officer (DPO) in certain cases. While the concept of a DPO is new to many jurisdictions, the appointment of DPOs has, for decades, been an essential element in the German data protection system. Since 1977, many German companies have been required to appoint an independent DPO to fulfil self-regulation obligations.
Inspired by the German model, the concept of a mandatory DPO under the GDPR is to have a central person, advising the company on compliance with the GDPR and acting as contact person for Supervisory Authorities (SAs) as well as for data subjects.
Who needs a DPO?
Unlike in Germany, where most companies are currently obliged to install a DPO, the GDPR only requires the appointment of a DPO by companies in limited cases, namely when the company’s core activities consist of either
- data processing operations which require regular and systematic monitoring of data subjects on a large scale; or
- processing on a large scale of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation etc.) and personal data relating to criminal convictions and offences.
Public authorities are always required to appoint a DPO under the GDPR
Since the terminology used, for example, “large scale” and “core activities” is rather vague, determining whether or not you need to appoint a DPO is far from clearcut. Broadly, however, it is should be assumed that businesses engaged in trading data, such as credit agencies and list brokers, will fall within the scope of the rule, while companies that basically only process employee data for limited HR purposes would generally not be covered.
Who qualifies as a DPO?
The main tasks of the DPO are the independent supervision of a company’s compliance with the GDPR as well as advising and overseeing staff dealing with personal data. DPOs do not have to be lawyers but need to be suitably qualified, with expert knowledge of data protection law and practices. From a practical perspective, DPOs must have a reasonable understanding of of the company’s technical and organisational structure and be familiar with its IT infrastructure and technology.
In contrast with the current legal situation in Germany, the GDPR allows for one joint DPO to be appointed for a group of organisations.
The DPO may be employed (internal DPO) or act under a service contract (external DPO). In both cases, a DPO must be given the necessary resources to fulfil the relevant job functions and must be granted a certain level of independence. This independence is supported by a degree of protection against dismissal or other sanctions on grounds that relate to their performance of the DPO tasks. Having said that, the protection afforded under the GDPR is nowhere near as strong as that currently provided in Germany where it is extremely difficult for a company to terminate its employment relationship with an internal DPO.
Consequences of non-compliance
Failure to appoint a DPO where required can lead to significant ramifications. Administrative fines can be as high as €10,000,000 or 2% of the company’s worldwide turnover, depending on which amount is higher.
The pros and cons
Having to appoint a DPO might look like a burden at first glance but it can also bring benefits to businesses. Centralising data protection can reduce bureaucracy and be an efficient way to ensure compliance with data protection requirements. This is especially true when it comes to sophisticated data processing activities and cross-border data flows within a group company. The experience in Germany has shown that designating a DPO can be a suitable method of corporate self-governance. Effective compliance management reduces interventions by the authorities and can help prevent costly disputes.
In addition, transparent and efficient handling of personal data can help an organisation gain a competitive advantage, particularly in terms of public perception.
In essence, companies have to work out whether or not they will have to appoint a DPO in future. If so, they have to get ready to do so by setting up internal corporate structures to provide the DPO with all the required resources. To help the DPO get a handle on the company’s processing of personal data, it might be helpful to compile information on data processing activities with the company, e.g. by creating records of processing activities as required under Art. 30 GDPR (see Demonstrating Compliance with the GDPR).
Even though the GDPR aims at harmonising data protection in Europe, companies should still closely watch legislation at a national level. Since Member States will have discretion to enact national provisions imposing further requirements regarding the appointment of DPOs, multinationals will have to keep track of Member States’ national requirements that may, like those in Germany, be considerably more stringent than those under the GDPR.