Ultimate guide to connecting Virtual Data Protection Officer
Legal Nodes Team
Recent years faced how the new compliance area has emerged – data protection. It has become one of the hottest topics at the World Economic Forum 2019 in Davos. As proven by the most valued companies in the world, such as Amazon, Apple, Facebook and Google, personal data became an extremely profitable asset in the 21st century.
To date, the most discussed personal data protection legislation is the General Data Protection Regulation (“GDPR”). Since its entry into force in 2018, Art. 37 GDPR obliged EU companies to appoint a Data Protection Officer (DPO).
Connecting an appropriate Virtual DPO can greatly reduce start-up’s data protection costs and, subsequently, prevent or eliminate its responsibility for the data wrongdoings. Conversely, heavy spendings on hiring a full-time DPO may be disproportionate to the budgets and needs of the business.
This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business.
Who needs DPO?
The GDPR sets out 3 cases where organisations need a DPO.
1. A company regularly and systematically monitors and processes personal data of its customers, clients or other individuals.
What does it mean? If the start-up’s business model involves the continuous and pre-arranged collection and processing of the personal data, say, for KYC procedure, credit scoring, matchmaking or targeted advertising, then the company must have DPO in place.
Therefore, exchanges, digital identity services providers, social networks, e-banks, adtech and many other companies, whose business is based on personal data, are obliged to hire DPO under GDPR.
2. A company collects and processes 'sensitive' personal data.
Sensitive or special category data, under the GDPR, includes any health data, biometric identification data, discriminatory characteristics of a person, such as racial or ethnic origin, political or religious beliefs, trade union membership, sexual orientation, information about person's sex life, and information about criminal convictions.
As a result, organisations, which process sensitive data, such as start-ups operating in the healthcare sector, DNA analysing providers and platforms collecting data about the sex life of persons (e.g. dating platforms) shall designate a DPO.
3. The processing is conducted by a public authority or body (except for courts in the course of their judicial capacities).
Key DPO responsibilities
Being an intermediary between a regulatory body and company, the Data Protection Officer has plenty of responsibilities. Among the key, are the following:
1. Monitoring of the GDPR compliance at the organisation DPO works for. All company’s GDPR efforts, from privacy statements to corporate data protection policies and technical security measures, shall be under the supervision of the Data Protection Officer.
2. Data Protection Officer’s oversight covers the work of all departments, officers, employees, and contractors, who are dealing with the collected personal data. The DPO must cooperate with all units involved in the personal data processing and check if they comply with the European Regulation.
3. Ensuring GDPR compliance is not a direct responsibility of the DPO. This task relies on the executive management since they are making decisions on the personal data processing and represent the organisation in this regard. For their part, DPO analyse daily operations and advise on how to comply with the GDPR provisions.
4. DPOs are not personally responsible in the case of company’s violation of the GDPR. They will be responsible only if they did not perform their professional obligations, and this resulted in the company being non-compliant.
5. Work of the DPO shall be risk-based. If a DPO analyses the marketing practices of a company, they consider:
- the sensitivity of the personal data involved;
- the current level of protection;
- costs of implementing security measures; and
- the actions that might lead to the data breach and the consequences it may create for consumers.
Such an approach allows to choose the correct measure to address the possible risks, ensuring the compliance and reaching the marketing goals at the same time.
6. Being a contact point for competent government bodies and cooperating in case of any inquiries or investigations. If anything, DPO is to retain an independence from the internal influence (discussed below) as well as an ability to balance between the company’s interests and assist regulatory bodies in investigating possible violations.
DPO Position Requirements
DPO performs diverse responsibilities of utmost importance in companies. Consequently, there are certain requirements that attach to this position, which companies outsourcing DPO services must consider:
— DPO’s must be independent within the organisation and report directly to the highest management level of the company. Any instructions regarding the exercise of his/her tasks are prohibited;
— DPO's position must not cause a conflict of interest inside the company. Any direct interest of the DPO in the start-up’s profit or successfulness must, therefore, be avoided.
European regulatory body, the (now replaced by the European Data Protection Board) has identified in the Guidelines on Data Protection Officers, that the chief executive, chief operating, chief financial, chief medical officer, head of a marketing department, head of Human Resources or head of IT departments are bad roles for mixing with the DPO position. Even the General Counsel of the company may not be an appropriate person for this position since the GC represents the company's interests in the first place;
— With the correct company’s structuring, the most suitable persons matching DPO skills will be the technology-focused lawyer or information system auditor;
— To optimise costs, a start-up can hire the DPO externally, with the help of ‘DPO-as-a-service’ providers. This is going to be way more affordable than hiring a full-time employee. Connecting Virtual DPO will also ensure their independence and appropriate professional skillset.
Most of the data-driven companies should consider connecting Virtual DPO, whether an internal or external one. During the online checks or GDPR compliance investigations, the EU regulatory bodies examine the presence of the Data Protection Officer and look for his/her contact details in the first place.
For example, in November 2018 the Dutch Data Protection Authority randomly selected 45 banks and 93 insurance companies and solely checked the presence of the Data Protection Officer. After revealing the 13 non-compliant banks and 23 non-compliant insurers, it issued the notices to hire DPOs and continued investigations. Eventually, all examined banks and insurance companies reportedly complied with the obligation.
If hired appropriately, Data Protection Officer will become a helping hand for a start-up in the complex data protection regimes. The DPO will monitor the current regulatory situation and give advice on further steps in the GDPR compliance. Moreover, in case of supervisory checks or investigations, the presence of the DPO in a start-up will act as a substantial advantage for the purposes of compliance assessment.
Alternative approaches to outsourcing DPO services will allow you to optimise the costs of DPO services while maintaining compliance with Art. 37 GDPR and developing a detailed plan for further actions.
At Legal Nodes, only certified privacy experts (CIPP/E, CIPM, CDPSE, etc.) with substantial experience in tech are offered as external DPOs. Find out more on our dedicated DPO page.
Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, financial, or other advice.
Legal Network Manager at Legal Nodes