Does your company need a Data Protection Officer?
Contrary to the popular beliefs the General Data Protection Regulation (GDPR) does NOT call for mandatory appointment of a DPO! First of all, you will need to determine if the GDPR applies to your business at all. We recommend you read “Who does the EU GDPR apply to?”
Your company needs to comply with the GDPR if it falls into one of the two categories:
1. You are a company based in the EU that process personal information of EU citizens and residents
2. Your company is not based in the EU, but offers products or services to EU residents or monitor the behavior of EU residents
If you have determined that you have to comply with the GDPR, you are obligated to appoint a DPO only under certain criteria.
How to determine if you have to appoint a DPO?
Once you have determined that you are indeed processing personal information of EU citizens or residents you will have to appoint a DPO if you answer YES to any of these 3 questions:
✅ Are you a public institution, public body or public authority?
✅ Do your core activities involve regular, systematic and extensive monitoring of individuals on a large scale? If your company is processing personal data to achieve the company’s key objective, it is a core activity. However, processing your employee data to pay off wages is not a core activity, it is a secondary activity.
✅ Do your core activities consist of large scale data processing of special categories of personal data or data relating to criminal convictions and offenses? Special categories of personal data can be criminal records, medical records, religious or philosophical beliefs, trade-union membership, political stands and so on.
There is an easy quiz to determine whether you need to appoint a DPO!
In addition, the legal norm to appoint a Data Protection Officer has a flexibility clause to the Member States. They are free to decide whether a company has to appoint a Data Protection Officer under stricter requirements.
Also, the size of your company is not the determining factor when it comes to whether you need to appoint a data protection officer or not. The essential will be the core-processing activities that are fundamental to achieving your company goals.
Can You appoint a Data Protection Officer even if it is not mandatory?
If you asses that a DPO can help your company align internal processes to be GDPR compliant, you are free to do so. In fact, many companies are appointing voluntary DPOs because it is easier to align with the GDPR and show customers and supervisory authority that they are taking this matter seriously.
However, if you voluntarily appoint a DPO you will have to apply the same criteria and requirements as if he is appointed by law, and register your DPO with a supervisory authority.
The requirements under Articles 37 to Article 39 will apply as if the designation had been mandatory.
Your voluntarily DPO should also have the proper expertise, have adequate training, resources, place in your organization and report to upper management.
You have to take into account the sensitivity of your industry, the sensitivity of personal data you are processing, and appoint a DPO who can handle the task.
As a controller or a processor, you should document your internal analysis of whether they need to appoint a DPO or not as a demonstration that you have taken into account relevant factors in determining if you need a DPO. Click here if you want to find out whether you are a data controller or data processor.
Do companies have to publish who their Data Protection Officer is by name?
It is mandatory to communicate the contact details of the DPO to the supervisory authority. However, whether you should inform the public about your DPOs’ name, GDPR doesn’t really say.
We recommend that you do, following the best practice (Guidelines on Data Protection Officers). Make DPO info available so data subjects can directly contact the DPO without having to go through other departments.
The info you publish about your DPO should allow data subjects and supervisory authority to contact a DPO, and could be:
✅ e-mail address
✅ phone number
Also, add a name so a person sending an email or making a phone call can address your DPO. Find out which institution in your country is a supervisory authority and search the form on their website to report your DPOs’ contact details.
Article 37 outlines the designation of the Data Protection Officer: “The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.”
Can you appoint a single DPO for multiple companies?
If your organization is a part of the group, you can appoint a single Data Protection Officer, as long as he is accessible to all organizations.
This is referred to in an Article 37 of the GDPR, “Designation of the data protection officer”
Outsourcing a Data Protection Officer
Data Protection Officers are in demand across all industries and therefore it can be quite difficult to fill in this position by hiring internal DPO. However, companies who are all of a sudden obligated to appoint a DPO or would benefit from doing so, do not have internal resources to appoint one from their own ranks.
There is a lot of training and educations required to get the internal DPO to the point that he or she has an overall knowledge of the GDPR. That is why many companies are considering outsourcing.
Can you outsource a DPO? Yes.
There are certain benefits and downsides from outsourcing a DPO. If you have decided to outsource your DPO, make sure it is possible for external DPO to form relationships with internal stakeholders. This will be crucial for dividing responsibilities in your privacy program (if you want to know more about creating your privacy program read this!).
On the other hand, if you appoint an internal DPO who already has connections and relationships with privacy stakeholders, this could affect the DPOs’ performance.
For example, stakeholders might not see your DPO as an authority figure, while outsourced DPO can create an illusion of almost revisory role and independence.
Negative sides of outsourcing DPO
❌Outsourced DPO may not be familiar with how your organization or business operates and will have to learn about all processing activities and data collection points.
❌Outsourced DPO may have never worked for companies in your industry.
❌Outsourced DPO may not be so involved and can be fairly expensive if additional cost for services is charged
❌ There is a chance that a outsource DPO will not be involved properly in all issues in a timely manner, as requested per GDPR
❌The employee who takes over the DPO responsibilities and duties will have to be replaced in his current position.
Positive sides of outsourcing DPO
✔️ It can be fairly practical to outsource a DPO rather than invest a lot of time and resources into an internal employee.
✔️ Less chance of a conflict of interest between DPO and other organizational units
✔️Outsourced DPO probably already owns certificates and is submerged into the GDPR subject.
✔️You may not need a full-time DPO, so outsourcing will make more sense than appointing someone who already has their own set of responsibilities on some other role and can come into a conflict of interest
✔️ Internal DPO can lack authority with former colleagues, while external DPO can have clean-slate to form a relationship with other departments and units
Large company vs. Small company
I am sure you agree that the need for a DPO of a small company with domestic reach is far different from the need of an enterprise company that has a global reach and different exposure.
DPO in big enterprise company will most probably perform his duties full-time, need more resources like budget, staff, solutions for automatization and GDPR compliance, and more.
As a smaller company or organization, you will maybe have a part-time DPO with a tighter budget, and that’s OK, as long as they can perform their duty.
If necessary, grant them access to legal counsel that can help them with any legal questions and make sure they attend conferences and seminars to always be up to date.