With the implementation of the General Data Protection Regulations (“GDPR”) companies are expected to put in place clear governance measures to ensure compliance. Amongst other things, these measures include the minimisation of data protection breaches and the strengthening of internal policies and training procedures. This may also involve the appointment of a Data Protection Officer (“DPO”). Set out below some practical points companies should consider when appointing a DPO.
Managing the DPO appointment process
This new requirement left most companies with a number of questions relating to the appointment of a DPO, including:
Companies are not required to comply with the GDPR until the 25 May 2018 and until then there is no obligation to appoint a DPO. Although the deadline seems somewhat remote, companies should take into consideration the timeframes required (i) to find the appropriate candidate with the right qualifications to fulfil the role; and (ii) to approve headcount. Further, should a company decide to appoint an existing member of staff, appropriate training must be arranged and this may take time.
Obligation to Appoint
Article 37(1) sets out instances where companies are under a strict obligation to appoint a DPO. These are when the processing:
The GDPR does not expressly set out a list of compulsory qualifications required by a DPO, but Article 37(5) provides that a DPO must be appointed on the “basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Art 39”. As such, it would be reasonable for a company to assess its needs based on the type of processing it carries out and the protection the data processed requires when assessing the level of qualification expected of a DPO.
The tasks of a DPO are set out in Article 39 and include:
One Appointment for the Group
When it comes to group enterprises, the GDPR allows for one single individual to be appointed as the DPO for the whole Group, being the Group’s companies located in the EU and/or outside of the EU. More particularly, Article 37(2) states that “a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment”.
Internal or External Candidate
Companies may decide to appoint an existing member of staff as their DPO, provided that no conflict of interests arises, or decide to hire someone external. The DPO may be employed or hired on a service contract basis. However, the costs of selecting an internal candidate and training them must be balanced against the costs of recruiting someone external.
Although a company may save some money when appointing an existing member of staff rather than going through the often laborious and expensive recruiting process, it is important to balance costs and convenience against the benefits of selecting a candidate with the right level of experience and knowledge in order to provide the company with the adequate compliance program that could successfully sustain the regulatory checks of the supervisory authority.
Whilst hiring a DPO will become something that most companies will have or will decide to comply with, it is worth considering that becoming a DPO carries certain responsibilities that could reduce the appeal for such role. Being responsible for the company’s potential penalty of up to 20 million Euros or 4% of the organisation’s worldwide turnover for non-compliance, might not be so appealing to an individual that does not have the required expertise to ensure the company’s compliance with the GDPR.
Securing the right level of protection your company requires based on your activities should be a priority and one that does not need to wait until May 2018.
Elisabetta Elia is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at email@example.com
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.