What is a Data Protection Officer and Do You Need One?

GDPR brought sweeping changes to how companies think about data protection, and as a result, some companies will need to appoint a data protection officer (or DPO) to ensure ongoing compliance. With an estimated 28,000 new DPOs needed in just the US and Europe, companies should be making an effort to become more familiar with this position. So what is the role of a data protection officer, why are they so important, and who is best suited to step into this new position?

What Is a DPO Responsible for?

First and foremost, a DPO is tasked with helping a company understand how GDPR relates to the company’s business and advising both company management and employees on the proper steps to take to ensure compliance. While the DPO will also observe and evaluate risk as part of the compliance process, he or she should not make any decisions for the company, they are to act as an advisor only to ensure there is no conflict of interest.

What Kind of Companies Need to Hire a DPO?

There are two criteria that determine whether an entity needs to appoint a DPO: if the core activities of the company require regular and systematic monitoring of individuals on a large scale, and if the company is processing significant amount of sensitive data—either the “special categories” listed by GDPR or data related to criminal convictions and offences. In both cases, the data, if misused or leaked, can severely damage the privacy of the affected people, hence the need for a DPO regardless of the company’s size.

Some industries like banking or healthcare have had strict rules in place to assure individual privacy for decades, so these sectors will see less of an impact as a result of employing a DPO. Those companies that collect a lot of personal data and use that data to try to make money, like social media companies or advertisers, but also a lot of SaaS companies, might see more significant changes to the way they do business after hiring a DPO.

How Does a DPO Fit into a Company’s Structure?

Unlike most other roles within a company, the DPO must operate independently because their primary responsibility is the individual, and individual rights will frequently clash with company interests and goals. It would be nearly impossible for a DPO to balance the needs of these two disparate groups, which is why the DPO can have no other responsibilities that might affect individual privacy beyond those tasks specifically assigned to a DPO under GDPR, and should only provide recommendations upon which management must make the decision.

Furthermore, a company cannot dismiss a DPO based on his or her recommendations. As long as the action recommended by the DPO was part of a good faith effort to protect the individual, the company also cannot hold the DPO responsible for any penalties or ill effects. In the end, this requires that companies take the hiring of a DPO very seriously, rather than just appointing a straw person and blaming or even charging that person if things go wrong.

That being said, a DPO does not necessarily have to be a full-time role or even an employee. In particular, smaller companies may decide to outsource this role to an external privacy expert who serves as a contractor in an attempt to find a more cost-efficient way to comply with GDPR.

Who is Best Positioned to be a DPO?

Those best suited to the role of DPO should have extensive knowledge of data protection laws and practices as well as an understanding of how these fit into the market in which the company operates. This combination of skills enables a DPOto provide advice, ensure ongoing compliance, and conduct privacy impact assessments that are relevant and meaningful—not just a compliance theater. Obviously, those in an existing privacy officer position within the company or industry are good candidates. Similarly, those who want to become a DPO will be hard-pressed to find a program that goes beyond privacy law theory. Only by having a firm understanding of the unique challenges associated with a particular field can a DPO hope to successfully advise and guide a company through the challenges that GDPR compliance, and, more importantly, respect for individual privacy, brings.

What if a Company Does Not Need a DPO?

Even though not all companies need to appoint a DPO, companies that work with personal data or PII should always have a role that is responsible for privacy on a company level. Many companies call this role Privacy Officer, and while the positioning and requirements are typically very similar to the DPO role, companies obviously have more freedom as to where the Privacy Officer is positioned within the organization structure and what other tasks might be assigned to this role.