Under the regulations set forth in the European Union’s General Data Protection Regulation (GDPR) certain compliant organizations must designate a data protection officer (DPO). The GDPR data protection officer functions in a number of capacities that are all geared towards ensuring that the organization they are working with or for maintained compliance with the GDPR. The GDPR itself is a sprawling regulatory structure whose implementation has led to a large amount of confusion about what organizations and companies are considered in-scope, and how exactly those entities maintain compliance.
If you are within the scope of the GDPR you should already have taken the necessary steps to be compliant. Despite the fact that the timeline to attain compliance has already passed, many organizations may not have designated a data protection officer. This is no doubt partially due to the fact that many people aren’t clear on what is a data protection officer, and exactly which organizations must designate or utilize a data protection officer.
Due to the importance of maintaining compliance with the GDPR on an ongoing basis, it is essential to gain a firm understanding of whether or not you are required to designate a data protection officer. At the same time, you should also spend some time getting a sense of the role of a general data protection officer and how they help enhance data security and maintain compliance with the GDPR.
From the outset, it should also be kept in mind that while the GDPR is a regulatory body and compliance for entities within the scope of the regulation must maintain compliance, the function of a data protection officer can enhance your organization’s overall sensitive data protection efforts. In essence, a data protection officer helps ensure that your cybersecurity implementation is adequate to meet the requirements of the GDPR, and by extension, these efforts produce a much more robust data security program than would sometimes otherwise exist. At the same time, data protection officers fulfill an important oversight and coordination role, while ensuring staff is trained on up-to-date cybersecurity best practices. These efforts taken as a whole help organizations reduce risk and increase the potency of their cybersecurity efforts.
A Brief Introduction to the GDPR
If you aren’t familiar by now with the GDPR then it helps to have a basic level of understanding about this regulatory structure before diving into the role of data protection officers. The GDPR is a large regulatory body that was created in the EU and went into effect on May 25, 2018. The main thrust of the GDPR is to create enforceable requirements for organizations that interact with and store sensitive personal data on individuals in the EU. The GDPR is specifically looking at interaction and storage of personal data, which is defined in the regulation as data that is related to an identified or identifiable individual.
The GDPR has a wide scope that has challenged many entities to assess whether they are bound by these regulations. The GDPR is applicable for controllers and processors that store, transmit, or collect personal data on individuals in the EU. Within the GDPR these individuals are referred to as data subjects. For the purposes of the GDPR, controllers are entities that make a decision to store or collect data on data subjects. Processors are entities that are tasked with processing or interacting with that data on behalf of a controller. Both entities have responsibilities to enfsure that the requirements laid out in the GDPR are met, although these diverge in some areas. When discussing the implementation of the provision to appoint a data protection officer, gaining a better understanding of whether you are a controller or a data processor, whether you are in-scope for GDPR requirements and/or the law, and whether you meet the requirements for appointing a data protection officer are important to fully understand.
What is important to note about GDPR is that although it is concerned with data subjects in the EU, it applies to organizations that may be primarily based or operate outside of the EU. Due to the high degree of interconnectivity in today’s world, this makes sense, yet can present challenges that are based in countries like the United States. At a basic level, if you collect, transmit, store, or interact with personal data for individuals in the EU then you are required to comply with the GDPR. Determining your compliance requirements can be challenging, so if you are unclear about whether you are required to comply with the GDPR then it is time to consult with an expert familiar with GDPR requirements.
What Exactly Is a Data Protection Officer?
Data protection officers are used to fulfill a variety of roles under the GDPR. Because of the broad scope of responsibilities that fall under the purview of this position, it is difficult to provide a simple and concise definition. Data protection officers serve primarily in an oversight role and are responsible for ensuring that data protection requirements set forth in the GDPR are maintained across your entire organization. In some cases, a data protection officer can provide an oversight function for a number of different related organizations, such as for a municipal government. Put another way, a data protection officer performs ongoing compliance monitoring to ensure that the requirements outlined in the GDPR are being met at all times.
Monitoring compliance is one of the five essential tasks of the data protection officer that is set forth in Article 37 of the GDPR. The full text of the document can be found here, with the portion relevant to data protection officers found starting on page 34. In addition to compliance monitoring, data protection officers are charged with advising controllers and processors on their obligations to protect personal data as outlined in the GDPR. Data protection officers also provide advice on the Data Protection Impact Assessment (DPIA), must cooperate at all times with the supervisory authority, and serve as the primary liaison with the supervisory authority.
Article 37 of the GDPR doesn’t provide granular requirements for individuals who may be used to serve as a data protection officer. Instead, a broad outline of the qualifications of the individual is provided. The GDPR states that data protection officers must be an expert in data security and must be fully informed of data protection and data privacy laws. This gives a large amount of leeway for organizations to find individuals to fill this role that is the best fit for their business and operational needs. At the same time, this makes hiring a data protection officer more difficult because no data protection officer certification or equivalent qualification is explicitly outlined in the data protection law.
It is important to note that the GDPR explicitly allows for data protection officers to be an existing staff member of a controller or processor. Alternatively, controllers and processors may contract out to a security specialist who will serve as the data protection officer. The decision to promote a data protection officer in-house, or utilize one on a contract basis, is largely shaped by the needs of your organization specifically.
In some situations, it can be advantageous for organizations to create an internal data protection officer role, as these individuals will tend to be more integrated into the culture of the organization. Alternatively, utilizing a data protection officer on a contract basis can give organizations access to a high degree of expertise without the added investment associated with creating and filling the role internally. There is no right answer, and both options are acceptable under the terms of the GDPR. However, organizations should keep in mind that the data protection officer is required to operate independently, and can’t be terminated for simply fulfilling their role in GDPR compliance monitoring. Individuals who serve in the data protection role must be free of any conflicts of interest, which can present challenges for organizations looking to augment an existing position with the responsibilities of the data protection officer.
What should be kept in mind is that the data protection officer may not be provided direction in how to execute their function. Rather, the data protection officer is expected to operate independently. It is also important to consider that the data protection officer is expected to report to the highest levels of an organization. Integration between management and the data protection officer is essential to ensure that they are able to do their job effectively. Related to this, the data protection officer must have full access to all information necessary to perform the requirements of their position. As you might expect, this means that the data protection officer must be involved in all issues related to general data protection at any level of your organization.
The requirement for data protection officers to be integrated into all levels of your organization is supplemented by further requirements for accessibility. Specifically, data protection officers must be accessible to both data subjects and the supervisory authority. Inherent in their role, they must also be accessible to individual employees and all levels of management within an organization. In this way, data protection officers also serve an important role in communication between entities involved in data protection, from the subjects themselves to the employees and managers of controllers and processors, as well as the supervisory data protection authority. This fulfills an important tenet of the GDPR which is to promote transparency in how personal and general data is protected. Alongside this, it highlights the important ways that data protection officers must be capable of wearing many hats in their position since they serve in both an oversight and compliance capacity as well as a coordination and communication capacity.
From the aforementioned requirements, you should expect a data protection officer to demonstrate a robust expertise in all aspects of data protection. Data protection officers must be skilled communicators, and must continually strive to maintain their level of expertise while fostering a culture of data protection within your organization. One of the most important ways that data protection officers do this is through ongoing training and security awareness for both employees and management alike. A data protection officer must be available to regularly attend management meetings, and coordinate with management to ensure that data protection is a primary objective of the organization from the top down. An advantage of the expertise that data protection officers have is in helping implement key areas of the GDPR to ensure that your organization remains in compliance.
The role of the data protection officer is critical in ensuring that GDPR compliance efforts are deployed across your entire organization. Data protection officers serve in a wide capacity, from ensuring ongoing data protection compliance to helping create a security culture in your organization that improves your cybersecurity resilience as a whole. There isn’t one discrete task that a data protection officer will perform. Rather, data protection officers are charged with a broad scope of responsibilities and must rely on their expertise and knowledge of data protection to ensure that those responsibilities are met.
Although it can be advantageous to augment an existing employee with the responsibilities of the data protection officer role, this can be challenging due to the pervasive risk of conflicts of interest. Organizations may also choose to contract with an external security consultant that serves as a data protection officer. This can give organizations that have a smaller footprint but still are required by the GDPR to appoint a data protection privacy officer access to a wealth of knowledge and expertise without a costly investment. Ultimately, the choice of who you choose to serve as a data protection officer will be determined by your particular organization and operational needs. To learn more about cybersecurity solutions and how an external security provider can help your organization fulfill the requirement to designate a data protection officer, contact RSI Security today.