Book Demo
Jakob Holm Hansen
About author
13 Mar 2017

Data Protection Officers - Who Needs Them?

Data Protection Officers. It’s a topic that seems to be on everyone’s mind now that we are actively preparing for the implementation of the GDPR, but who needs them?

 

Anyone working with information security management is by this stage well aware of the upcoming EU General Data Protection Regulation. Come to think of it, even those not working with information security management have probably heard of it too, considering the amount of coverage it has gotten. It’s no wonder, given that the new regulation will be the biggest data protection regulation to date. Even though it is being set by the European Union, it will affect companies worldwide. This is because together, the 28 EU member states not only represent the world’s largest economy but are the top trading partner for 80 countries. Effectively, this means that any country dealing with personal data from citizens of the European Union will need to comply with the GDPR.

 

Soon after the news about the GDPR broke, another abbreviation started popping up everywhere: DPO. Of course, a Data Protection Officer is not a new role per se, but with the sudden focus on the legality of data protection, it only makes sense that we start focusing more on their role. The International Association of Privacy Professionals originally estimated that the new data protection regulation would require 28,000 DPOs in Europe and the United States. They have now increased that number up to 75,000 new DPO positions, worldwide. 75,000 is a lot of positions to fill, which leads to the question: who needs a Data Protection Officer?

 

The Fine Print


Contrary to what you may have heard, not all companies will be legally required to hire a DPO. According to the European Union’s Guidelines on Data Protection Officers:

“it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.”  

In short, any company which qualifies as a public authority, or in which data processing is a core activity, or inextricably linked to its core activity, must assign a DPO.

However, note that the regulation does not define what constitutes a public authority or body, as laws vary from country to country. It is therefore up to the company in question to determine whether it qualifies as such. If a company does not immediately fall under the rules that make it mandatory for them to appoint a DPO, the company’s controllers and processors should evaluate whether it’s important or useful for the company to have a DPO.

 

Taking Action

 

If you’ve decided to hire a Data Protection Officer, your next step is deciding to what extent you will be hiring one. The most obvious choice is to hire a DPO. However, depending on, for example, the size of your firm, you might find it enough to have a consultant, or even share a DPO with another company. The first option might be ideal, as it means they will be fully involved in what the company does and always on-site, but the other two options are just as valid under the new regulation, as long as you can reach the DPO at any time.

 

Even if your company does not need to hire a DPO, you’re not quite off the hook. As long as your company processes any kind of data, you need to be familiar with the GDPR and what it entails. So if you don’t need a DPO, how can you make GDPR compliance an everyday practice without it becoming a bureaucratic mess? 

 

It is our experience that controlling and compliance can best be achieved with a software tool rather than relying on manual procedures, spreadsheets, or the work of a single employee. Just as we did with our GRC platform program suite, we’ve created a tool that makes it easy to understand the GDPR and ensure ongoing compliance. A software tool offers a clear overview of exactly what you need to do and, more importantly, makes it easy to tick those boxes consistently. It also makes it easier for Data Protection Officers to carry out their jobs, as it provides them with a clear overview of the tasks at hand and tools to educate and involve other employees in the process. So whether you employ a DPO or not, if you process personal data, your company will almost certainly benefit from a software product that helps you comply with the GDPR. At the end of the day, it is also important to keep in mind that a DPO is first and foremost a controller and advisor, not the implementer of your data protection; your company will still be responsible for carrying out a range of practices to ensure compliance with the new regulation.