Every organisation needs to comply with the EU General Data Protection Regulation (GDPR) when it comes to personal data. However, not every organisation needs a designated data protection officer (DPO). This blog is the first of a two-part series looking at what kinds of organisations need a DPO, who is suitable to fill the role, and the responsibilities of the post.
Does every organisation need a DPO?
Most organisations will only need to manage their GDPR requirements by appointing someone for oversight. A data protection manager will have similar tasks and responsibilities to a designated DPO but they won’t need to be registered with a supervisory authority. The supervisory authority is the dedicated data protection regulator operating in that country; in Ireland for example, it’s the Data Protection Commission.
What are a DPO’s responsibilities?
The DPO monitors compliance with the GDPR encompassed as per Article 39(1)b. In practice, this means they:
- Collect information to identify processing activities
- Analyse and check the compliance of processing activities
- Inform, advise, and make recommendations to the controller or the processor.
Does the data protection role require a full-time resource at my company?
Whether you need a full-time person for the role or not, depends on the complexity of the processing and the size/structure of your organisation. It is worth highlighting that most small and medium enterprises can manage their GDPR compliance as part of a different role once the initial governance structures and departmental responsibilities are in place.
When do I need to register a designated DPO with the supervisory authority?
The GDPR requires a designated (officially registered) DPO in three specific cases:
- Any public authority or body
- Any organisation where its main business activity requires a lot of personal data of individuals. This category of organisations includes such as social media companies, digital service companies, loyalty brand companies, online retailers, digital marketing, banks/financial institutions, search engine companies, IT service companies etc.
- Any organisation whose main business activity requires a lot of special category data. This category includes all healthcare providers, insurers, digital health tech, telemedicine, online pharmacies, even technology companies handling patient data etc.
In relation to the concept of “main business activity” consider the following example from the official guidelines: “A hospital processing health data, such as patient’s health records, should be considered as one of any hospital’s main business purpose and hospitals must therefore designate DPOs. On the other hand, all organisations carry out certain supporting activities that require the processing of personal data for example, paying their employees or having standard IT support activities. These are necessary support functions for the organisation’s main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”
Finally, even if the GDPR does not specifically require the appointment of a DPO, organisations may sometimes find it useful to designate a DPO on a voluntary basis.
Where do I have to register a DPO?
One of the key considerations for registering a DPO is the business structure and activity of your organisation. If your organisation has a ‘main establishment’ in Europe, it should notify the supervisory authority there. The main establishment of an organisation is usually the place where all the management decisions in regards to the personal data are taken.
My business has various legal entities. Do I have to register a DPO for each one?
An organisation with various entities can designate a single DPO as long as the person is ‘easily accessible from each establishment’. This refers to the execution of the DPO’s responsibilities such as being a contact point for data subjects, the supervisory authority, and internally within the organisation.
In practice, this means:
- The DPO’s contact details must be available and publicised internally as well as externally
- The DPO must be able to communicate with data subjects and the supervisory authority in the official language of the country
- The DPO must be available during business hours in the relevant time zone.
Who can be appointed DPO? Are there any limitations?
Appointing an internal data protection manager has no limitation. A DPO, on the other hand, should report directly to their highest level of management and should have the necessary independence to perform their tasks.
The DPO cannot hold a position within the organisation that’s associated with making decisions about the business activities related to processing personal data. Because every organisation has its own specific organisational structure, this needs to be considered on a case by case basis.
As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of human resources or head of IT departments). It may also cover other positions or roles lower down in the organisational structure if they involve making decisions about the way personal data is processed.
Various supervisory authorities have fined companies for appointing the wrong person as DPO. A very controversial and harsh decision was made in 2020 against a company for appointing the head of compliance, risk and audit as DPO. The decision concluded that heading that department meant having decision-making power over the way the data is processed which resulted in a conflict of interest. Other supervisors have reached similar decisions about appointing IT managers as DPO.
In the second part of the blog, we’ll look at whether it’s possible to appoint an external DPO, the professional background they should have, and the resources their organisation needs to give them to carry out the job.
Tom Knierim is a data protection consultant with BH Consulting