Do You Have To Appoint A Data Protection Officer

Does your company need a Data Protection Officer?

Contrary to the popular beliefs the General Data Protection Regulation (GDPR) does NOT call for mandatory appointment of a DPO for everyone! First of all, you will need to determine if the GDPR applies to your business at all. We recommend you read “Who does the EU GDPR apply to?

Your company needs to comply with the GDPR if it falls into one of the two categories:

1. You are a company based in the EU that process personal information of EU citizens and residents
2. Your company is not based in the EU, but offers products or services to EU residents or monitor the behavior of EU residents

If you have determined that you have to comply with the GDPR, you are obligated to appoint a DPO only under certain criteria.

 Who is a Data Protection Officer [Role and responsibilities]

How to determine if you have to appoint a DPO?

Once you have determined that you are indeed processing personal information of EU citizens or residents you will have to appoint a DPO if you answer YES to any of these 3 questions:

✅ Are you a public institution, public body or public authority?

✅ Do your core activities involve regular, systematic and extensive monitoring of individuals on a large scale? If your company is processing personal data to achieve the company’s key objective, it is a core activity. However, processing your employee data to pay off wages is not a core activity, it is a secondary activity.

✅ Do your core activities consist of large scale data processing of special categories of personal data or data relating to criminal convictions and offenses? Special categories of personal data can be criminal records, medical records, religious or philosophical beliefs, trade-union membership, political stands and so on.

There is an easy quiz to determine whether you need to appoint a DPO!

In addition, the legal norm to appoint a Data Protection Officer has a flexibility clause to the Member States. They are free to decide whether a company has to appoint a Data Protection Officer under stricter requirements.

Also, the size of your company is not the determining factor when it comes to whether you need to appoint a data protection officer or not. The essential will be the core-processing activities that are fundamental to achieving your company goals.

GDPR Research 2019: Operationalization of the GDPR processes in Organizations

Can You appoint a Data Protection Officer even if it is not mandatory?

If you asses that a DPO can help your company align internal processes to be GDPR compliant, you are free to do so.

However, if you voluntarily appoint a DPO you will have to apply the same criteria and requirements as if he is appointed by law, and register your DPO with a supervisory authority.

The requirements under Articles 37 to Article 39 will apply as if the designation had been mandatory.

Your voluntarily DPO should also have the proper expertise, have adequate training, resources, place in your organization and report to upper management.

You have to take into account the sensitivity of your industry, the sensitivity of personal data you are processing, and appoint a DPO who can handle the task.

Data controllers and data processors should document their internal analysis of whether they need to appoint a DPO or not as a demonstration that they have taken into account relevant factors in determining if they need a DPO.

Do companies have to publish who their Data Protection Officers are by name?

It is mandatory to communicate the contact details of the DPO to the supervisory authority. However, whether you should inform the public about your DPOs’ name, GDPR doesn’t really say.

We recommend that you do, following the best practice (Guidelines on Data Protection Officers). Make DPO info available so data subjects can directly contact the DPO without having to go through other departments.

The info you publish about your DPO should allow data subjects and supervisory authority to contact a DPO, and could be:

✅ e-mail address
✅ phone number
✅ address…

Also, add a name so a person sending an email or making a phone call can address your DPO.  Find out which institution in your country is a supervisory authority and search the form on their website to report your DPOs’ contact details.

Article 37 outlines the designation of the Data Protection Officer: “The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.”

Can you appoint a single DPO for multiple companies?

If your organization is a part of the group, you can appoint a single Data Protection Officer, as long as he is accessible to all organizations.

This is referred to in an Article 37 of the GDPR, “Designation of the data protection officer”

Who is a Data Protection Officer [Role and responsibilities]

Outsourcing a Data Protection Officer

Data Protection Officers are in demand across all industries and therefore it can be quite difficult to fill in this position by hiring internal DPO. However, companies who are all of a sudden obligated to appoint a DPO or would benefit from doing so, do not have internal resources to appoint one from their own ranks.

There is a lot of training and educations required to get the internal DPO to the point that he or she has an overall knowledge of the GDPR. That is why many companies are considering outsourcing.

Can you outsource a DPO? Yes.

There are certain benefits and downsides from outsourcing a DPO:

❌Outsourced DPO may not be familiar with how your organization or business operates and will have to learn about all processing activities and data collection points.
❌Outsourced DPO may have never worked for companies in your industry.
❌Outsourced DPO may not be so involved and can be fairly expensive if additional cost for services is charged
❌ There is a chance that a outsource DPO will not be involved properly in all issues in a timely manner, as requested per GDPR
❌The employee who takes over the DPO responsibilities and duties will have to be replaced in his current position.

✔️ It can be fairly practical to outsource a DPO rather than invest a lot of time and resources into an internal employee.
✔️ Less chance of a conflict of interest between DPO and other organizational units
✔️Outsourced DPO probably already owns certificates and is submerged into the GDPR subject.
✔️You may not need a full-time DPO, so outsourcing will make more sense, than appointing someone who already has their own set of responsibilities on some other role and can come into a conflict of interest