poster
Privacy (GDPR)

Who is DPO and Why You Should Consider Hiring One

The emergence of compliance dates back to the 1990s with the U.S. Federal Sentencing Guidelines for Organizations (FSGO). Those guidelines state that companies, which have effective corporate compliance programs in place, may be exempt from the liability for corporate offences. To ensure this, companies start to designate a compliance officer – a person in control of compliance program introduction and monitoring.

Nowadays, the new compliance area has emerged – data protection. It has become one of the hottest topics at the World Economic Forum 2019 in Davos. As proven by the most valued companies in the world, such as Amazon, Facebook and Google, personal data became an extremely profitable asset in the 21st century. Those companies, however, tend to misuse this asset, reinforcing the need for specific regulation.

To date, the most discussed personal data protection legislation is the General Data Protection Regulation (“GDPR”). It applies on the EU territory from the 25th of May 2018. The main aim of passing the GDPR was to give EU residents more control over their data.

In furthering this aim, the GDPR provisions set out the strict requirements for personal data collection and its further processing. Any company falling under the Regulation scope shall be ready to prove that it is GDPR compliant.

Moreover, the Regulation explicitly requires data-driven organizations to hire the specific compliance officer – the Data Protection Officer (“DPO”). Hiring the appropriate DPO can greatly reduce start-up’s data protection costs and, subsequently, prevent or eliminate its responsibility for the data wrongdoings.

Who Needs DPO?

The GDPR sets out 3 main conditions which trigger the obligation to hire a DPO.

Public authority in the EU is subject to the data protection laws as well. They also need DPO who must provide an independent control over use of personal information whilst exercising governance responsibilities.

  1. A company regularly and systematically monitors and processes personal data of its customers, clients or other individuals.

    What does it mean? If the start-up’s business model involves the continuous and pre-arranged collection and processing of the personal data, say, for KYC procedure, credit scoring, matchmaking or targeted advertising, then the company must have DPO in place.

    Therefore, exchanges, digital identity services providers, social networks, e-banks, adtech and many other companies, whose business is based on personal data, are obliged to hire DPO under GDPR.

  2. A company collects and processes 'sensitive' personal data.

    Sensitive data, under the GDPR, includes any health data, biometric identification data, discriminatory characteristics of a person, such as racial or ethnic origin, political or religious beliefs, trade union membership, sexual orientation, information about person's sex life, and information about criminal convictions.

    As a result, organizations, which process sensitive data, such as start-ups operating in the healthcare sector, DNA analyzing providers and platforms collecting data about the sex life of persons (e.g. dating platforms) shall designate a DPO.

  3. The processing is conducted by a public authority or body (except for courts in the course of their judicial capacities).

    Public authority in the EU is subject to the data protection laws as well. They also need DPO who must provide an independent control over use of personal information whilst exercising governance responsibilities.

Checklist of the Key DPO Responsibilities

Being an intermediary between a regulatory body and company, the Data Protection Officer has plenty of responsibilities. Among the key, are the following:

  1. Monitoring of the GDPR compliance at the organization DPO works for. All company’s GDPR efforts, from privacy statements to corporate data protection policies and technical security measures, shall be under the supervision of the Data Protection Officer.
  2. Data Protection Officer’s authority covers the work of all departments, officers, employees, and contractors, who are dealing with the collected personal data. The DPO must cooperate with all units involved in the personal data processing and check if they comply with the European Regulation.
  3. Ensuring the GDPR compliance is not a direct responsibility of the DPO. This task relies on the executive management since they are making decisions on the personal data processing and represent the organization in this regard. For his part, the DPO analyzes daily operations and advises on how to comply with the GDPR provisions.
  4. As a result, DPOs are not personally responsible in the case of violation of the GDPR. They will be responsible only if they didn’t perform their professional obligations, and this resulted in the company being non-compliant.
  5. Work of the DPO shall be risk-based. If the DPO analyses the marketing practices of a company, he/she shall consider:
    • - the sensitivity of the personal data involved;
    • - the current level of protection;
    • - costs of implementing security measures; and
    • - the actions that might lead to the data breach and the consequences it may create for consumers.

    Such an approach allows to choose the correct measure to address the possible risks, ensuring the compliance and reaching the marketing goals at the same time.

  6. Being a contact point for competent government bodies and cooperating in case of any inquiries or investigations. This is a tricky obligation because it requires DPO to retain an independence from the internal influence (discussed below) as well as ability to balance between the company’s interests and assist regulatory bodies in investigating possible violations.

DPO Position Requirements

DPO performs diverse responsibilities of upmost importance in a company. Consequently, there are certain requirements that attach to this position, which companies hiring DPO must consider.

  • - DPO’s must be independent within the organization and report directly to the highest management level of the company. Any instructions regarding the exercise of his/her tasks are prohibited;
  • - DPO's position must not cause a conflict of interest inside the company. Any direct interest of the DPO in the start-up’s profit or successfulness must, therefore, be avoided.

    European regulatory body, the (now replaced by the European Data Protection Board) has identified in the Guidelines on Data Protection Officers, that the chief executive, chief operating, chief financial, chief medical officer, head of a marketing department, head of Human Resources or head of IT departments are bad roles for mixing with the DPO position. Even the General Counsel of the company may not be an appropriate person for this position since the GC represents the company's interests in the first place;

  • - With the correct company’s structuring, the most suitable persons matching DPO skills will be the technology-focused lawyer or information system auditor;
  • - To optimize costs, a start-up can hire the DPO externally, with help of ‘DPO-as-a-service’ providers. This is going to be cheaper than hiring a full-time employee and will ensure the independence and appropriate professional skillset.

Conclusion

As mentioned above, most of the data-driven companies should consider hiring a DPO, whether an internal or external one. During the online checks or GDPR compliance investigations, the EU regulatory bodies examine the presence of the Data Protection Officer and look for his/her contact details in the first place.

For example, in November 2018 the Dutch Data Protection Authority randomly selected 45 banks and 93 insurance companies and solely checked the presence of the Data Protection Officer. After revealing the 13 non-compliant banks and 23 non-compliant insurers, it issued the notices to hire DPOs and continued investigations. Eventually, all examined banks and insurance companies reportedly complied with the obligation.

Moreover, the Working Party 29 emphasized in its Guidelines, that although other companies are not obliged to have DPO, they are encouraged to do so in order to ensure the consistency with the other GDPR requirements.

If hired appropriately, Data Protection Officer will become a helping hand for a start-up in the complex data protection regimes. The DPO will monitor the current regulatory situation and give advice on further steps in the GDPR compliance. Moreover, in case of government bodies’ checks or investigations, the presence of the DPO in a start-up will act as a substantial advantage for the purposes of compliance assessment.

Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, financial, or other advice.

Vlad Nekrutenko, Privacy and Data Protection Lawyer at Legal Nodes

Need a lawyer in this area?

avatarchecked

Vlad

Ukraine

3 years in data protection

Experience
Vlad is a data privacy enthusiast and expert in the GDPR compliance. He possesses IAPP...
choose
choose

Legal Nodes Blog

For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills
Privacy (GDPR)
Privacy Policy: Everything you need to know

Privacy Policy (or Privacy Notice) is a public legal statement of the company. It explains how the organisation uses information about its users, customers, or employees....

Legal Nodes Team
Privacy (GDPR)
Initial Privacy Assessment: Everything You Need to Know

A privacy assessment is a methodic review of your state of compliance with personal data protection laws....

Legal Nodes Team
Legal Nodes Updates
Legal Nodes Secures the $50k Grant from the Ukrainian Startup Fund Pitching Competition

We are delighted to announce that Legal Nodes scored the highest during the fifth Ukrainian Startup Fund pitching competition and was awarded a $50k Grant. ...

Legal Nodes Team