The forthcoming EU General Data Protection Regulation (GDPR) will mandate certain organisations to designate a Data Protection Officer (DPO) - a ‘go-to’ person who will have responsibility for data protection-related compliance. The Regulation is not very specific on the qualifications which a candidate must possess in order to be considered for the DPO role. However, Article 37 does require that the DPO is appointed “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices” as well as the ability to fulfil the following tasks:
- Advising the organisation of its obligations under the GDPR;
- Monitoring compliance with data protection law via assignment of responsibilities (for example; appointing ‘Data Protection Champions’ within the organisation), staff training and awareness, carrying out audits;
- Advising on the need for Privacy Impact Assessments where relevant; and
- Cooperating with, and acting as the organisation’s contact point with, the local Data Protection Authority.
Importantly, the GDPR does not expect every organisation to have a DPO. However, there will be such a requirement when:
(a) The processing is carried out by a public authority or body (except for courts acting in their judicial capacity);
(b) The core activities of the organisation involve data processing operations which “require regular and systematic monitoring of data subjects on a large scale”; or
(c) The core activities of the organisation involve the processing of sensitive personal data on a large scale.
The exact size or scale of the above-mentioned processing activities is not specified by the GDPR – there is no specific cut-off point above which a business/public body must have a DPO. Nonetheless, as with other regulatory requirements, organisations will be advised to err on the side of caution rather than face sanctions for breaking the new law. For the first time, a uniform set of administrative fines will be in place which will be triggered when an organisation is found guilty of a data breach. Under Article 58 of the GDPR, the Office of the Data Protection Commissioner, for example, will be able to fine Irish companies who are found guilty of a data breach, regardless of whether it is deliberate or accidental. The Commissioner's Office will be in charge of imposing fines on corporations which have their European headquarters in Ireland (such as Facebook, Apple, LinkedIn, Twitter and PayPal) to the tune of a maximum of €20 million, or 4% of their total worldwide annual turnover of the preceding financial year (whichever is higher) in the event of such a breach.
It must also be noted that there is an equal obligation for data processors to appoint a DPO, just as there is for data controllers to do so. The GDPR sets out detailed requirements for data processors who will now be held solely responsible for their processing activities. The current EU legislation, which dates from 1995, does not apply to data processors. Moreover, a single DPO may represent multiple organisations and does not have to actually be a member of staff - several organisations could therefore collectively appoint one DPO to represent their combined interests. Finally, it should be mentioned that the DPO will often carry out other tasks and duties. For example, the role of DPO might be added to the list of responsibilities of a manager or director of a company.
At present, research shows that expected compliance is not presently matched by awareness levels and that, conservatively, up to 28,000 DPOs will need to be appointed across the EU before the GDPR becomes law. However, as there is a two year run-in period until the Regulation comes into effect, there remains plenty of time for organisations to ‘get their house in order’ and to designate and adequately prepare their DPO for the responsibilities expected of the role.