Data Protection Officer (DPO)

The General Data Protection Regulation (GDPR) became fully effective on May 25, 2018.

It places new data protection obligations on companies performing business in the EU including IT security, anonymization, breach notification, and other issues that arise with handling personal data.

The GDPR act includes Data Protection Regulation (EC) No. 45/2001 which requires companies to retain a Data Protection Officer (DPO) to assist in regulatory compliance.

If you perform transactions or sell products or services in the EU, it's likely that you require a DPO in 2018.

This is an overview of this requirement from the GDPR act and how to comply with it so you avoid the steep fines and other penalties arising from the act.

What is a DPO?

The Data Protection Officer or DPO is an individual designated by a company to assure compliance with the GDPR act. There are no requirements for the experience and education of this individual but a broad description that they have expert knowledge of data security practices.

The duties of a DPO are listed in the Article 39 of the GDPR regulation:

  • Educating data controllers, processors, and their employees of GDPR obligations and how to follow them.
  • Monitoring GDPR compliance by managing data protection practices, training employees, and auditing procedures.
  • Advising upper management of needed changes and developments with the laws.
  • Being a liaison between executives and upper managements to assure informed decision making on data security.
  • Being available to advise on protection practices including withdrawal of consent and other consumer rights regarding their data.

This places the DPO as a high-level legal compliance executive or an expert consultant if hired as an independent contractor.

Since finding the right person or consultant can be a significant time and financial investment, it's important to know whether hiring this individual is mandatory for your company.

Is a DPO mandatory?

If the core activities of your business involve any of the following, you'll need a DPO regardless of where your business is headquartered:

  • The regular and systematic monitoring of individuals in the EU on a large scale
  • The controlling/processing of special categories of data on a large scale from individuals in the EU
  • The controlling/processing of data related to criminal convictions and criminal offences from individuals in the EU

Special categories of data includes data related to sensitive personal information such as political opinions, religious beliefs, sexual orientation, racial or ethnic origin and health data.

Public authorities that process data from EU citizens will always need a DPO.

If you do not handle personal data, the DPO requirement does not apply to you.

Data Protection Regulation (EC) No. 45/2001 defines personal data as:

Definition of personal data under Data Protection Regulation

This definition of personal data is broader than US companies may be used to. So even if you feel all of your systems are in compliance, perform an internal audit.

The data you control may be considered personal under the EU requirements even if it avoids that categorization under the laws of your local jurisdiction.

If anything you collect falls under one of these categories, review the DPO compliance checklist below.

Checklist for DPO compliance

Here's what you can do to comply with the DPO requirements from the GDPR act:

  1. Assess your international reach
  2. Take a closer look at the data you collect/process

Assess your international reach

Your app or business may have a greater reach than you realize.

Unless you purposely and directly shutout the EU through your business, consumers from there can still access your products and services. That provides the link between you and the EU that may require compliance with the DPO requirement.

Also, realize that even small companies must comply. During the consideration of the regulation, there was a discussion on limiting the requirement to companies with more than 250 employees.

However, that did not survive the passage of the bill and so, even your recent startup that creates apps needs to consider compliance policies if you market and sell products to the EU - or use the platforms that make that possible.

Take a closer look at the data you collect/process

If the data you collect or process is done on a large scale and falls within one of the categories mentioned above, you'll need a DPO.