GDPR and the Role of the Data Protection Officer

David Ross


October 1, 2018

gdpr data protection officer

As it has now been months since its enactment at the end of May, organizations should have already taken the necessary steps to become compliant with the European Union’s General Data Protection Regulation (GDPR). They should have conducted their readiness assessments to understand the data, systems and controls that are impacted by the regulation and enacted new or updated existing processes to address the regulation’s requirements. But GDPR is not just about processes and controls.

Depending on the core services and customers they serve, a critical question still looms for many organizations: Do we need a data protection officer (DPO)? To decide if hiring a DPO is necessary, it is important to understand what the regulation actually states regarding the role of a DPO and where one is required or, at the very least, recommended.

The Role of the Data Protection Officer

As stipulated by the GDPR, the data protection officer must have expert knowledge of data protection law and practices. The DPO is responsible for informing the controller or processor and their employees of data protection regulations, monitoring compliance and training staff, providing counsel on data protection impact assessments, and engaging with the relevant authorities.

The GDPR makes it clear that certain organizations must appoint a DPO. Such organizations include:

  • Public authorities. This includes government agencies and publicly funded institutions (such as universities, research centers and museums) that process personal data in the EU or personal data that originates from the EU.

  • Organizations with core activities comprising “regular and systematic monitoring of data subjects on a large scale.” This includes companies that do job searches, and those that are involved in social media, marketing or anything associated with movement of money.

  • Organizations where core activities contain “large scale” processing of “special categories” of personal data. Special categories include information related to health, race or ethnicity, political beliefs, union memberships or other potentially sensitive information.

The new regulation presents a challenge in that it never addresses which entities do not need a DPO. Organizations therefore need to look at privacy through a risk management lens to not only better prepare for privacy-related regulatory compliance but also to address broader enterprise-wide privacy risks and advance strategic objectives.

In assessing the need for a DPO, it is helpful to think in the broader context of risk overall. Does your organization face significant financial, reputational, production or regulatory risks if data is compromised? Are the potential impacts of noncompliance (such as fines, legal action and public relations) a real threat to your organization? And can you realistically withstand them? Remember, the penalty for GDPR noncompliance can reach a whopping 4% of global revenue or €20 million, whichever is greater.

Once an organization determines the need for a DPO, they will need to consider how to fill the role. The regulation states that the DPO can be a staff member or contractor with expert knowledge of data protection law and practices, but while the broad job description might make it sound like an IT responsibility, the expertise and skills required of the DPO role go beyond a traditional IT function.

In fact, the GDPR also introduces an independence requirement similar to the internal audit function: The DPO is not allowed to take instruction from their employer, cannot be dismissed for doing their job and must report directly to the “highest management level.” The necessary firewalls make it difficult to assign someone who already holds another post.

Another option is to engage a third party to serve as a “virtual DPO.” Some firms can serve as virtual DPOs for organizations, which offers a few advantages:

Cost: A small or mid-sized firm is unlikely to spend $200,000 or more per year to hire a dedicated DPO. The virtual route allows the organization to engage at whatever level is appropriate.

Expertise: A virtual DPO can leverage the experience gained from working with multiple companies across multiple verticals. Tapping into this practical privacy experience can help with the development of best practices.

Agility: A virtual DPO’s job is to stay ahead of new regulatory developments and data protection techniques globally, including emerging case law on GDPR. This provides the organization with timely, relevant insights and guidance to support planning and decision making.

What to Look For in a Data Protection Officer

When it comes to skills and credentials, data protection officer backgrounds can vary considerably. It is a relatively new discipline and the few privacy certifications that currently exist are fairly immature. In general, there are some high-level attributes the DPO should possess, regardless of whether an organization chooses the internal or external path:

  • The data protection officer must be an expert on privacy. The DPO must have extensive knowledge of privacy issues and regulations. This is not limited to GDPR, of course. Knowing the universe of privacy—such as HIPAA (Health Insurance Portability and Accountability Act), COPPA (Children’s Online Privacy Protection Act), and PCI DSS (Payment Card Industry Data Security Standard)—is essential. An understanding of international laws and penalties is also important. For example, Malaysia’s new data privacy act includes jail time as a penalty for violations. It is essential for a potential DPO to have a strong understanding of existing regulations and how they apply in your type of organization, as well as an awareness of developing regulations.

  • The data protection officer needs a deep understanding of your enterprise. Every organization’s privacy needs and risk profile are different. The DPO needs to understand the factors at play in your industry. They also need to understand your organization’s culture, processes and unique relationship to data and data privacy.

  • The data protection officer must be well-matched to the accountability function rather than the IT function. While a basic understanding of your organization’s technology will be important, the DPO is more closely related to an auditor than an engineer. Backend integration is a relatively minor aspect. The DPO will likely spend significant time monitoring compliance and addressing processes and controls, understanding what different business units are launching, educating staff, managing data requests and communications with data subjects, providing the necessary information to leadership and the board and corresponding with authorities.

  • The data protection officer must be able to act as the “privacy champion,” influencing the culture and rallying support from the very top. The DPO will require a high level of cooperation across the enterprise, including buy-in from senior management and functional leaders. A culture change is critical. The entire organization needs to embrace a data privacy mindset and make it just as much of a priority as they would expect it to be when handled by other organizations.

GDPR is only one regulation among many pieces of proposed legislation worldwide, much of which is driven by shifting consumer sentiment. Organizations must be ready to adapt across their enterprises. Ultimately, they will need to be clear on where they stand on data privacy, understand their unique risks and act accordingly to take control of the information they collect and process. For many organizations, that will mean addressing the DPO role.
David Ross is a principal at Baker Tilly and serves as the firm’s privacy practice leader as well as cybersecurity advisory leader.