As the European Union’s General Data Protection Regulation celebrates its first birthday and the California Consumer Privacy Act gets ready for enforcement in 2020, everyone, it seems, has data on their mind.
If your company does business in the European Union (and even if they don’t), the GDPR requires at least one person to have data on their mind: the data privacy officer, or DPO.
Who Needs a DPO?
Under Article 37 of the GDPR, any “controller” or “processor” of data whose core activities include “regular and systematic monitoring of data subjects on a large scale” or whose core activities include the processing of certain types of highly sensitive data must have a DPO.
This is a potentially far-reaching requirement, as many companies may qualify as “controllers” even if they do not process data themselves. For purposes of GDPR coverage, a “controller” is an entity that controls the purposes and means of processing data, while the “processor” is the entity that processes personal data on behalf of the controller.
Even if a controller (say, an online retailer that collects personal information about its customers) uses an outside vendor to process data (say, a vendor to manage its customer engagement and other data analytics), the controller is charged with ensuring the vendor meets the GDPR’s requirements and must, itself, have a DPO.
What Qualifications Should My DPO Have?
A DPO should have sufficient expertise to carry out the duties in Article 39 of the GDPR. These include:
- Informing and advising the controller or processor of their duties under the GDPR;
- Monitoring its compliance with the GDPR, and providing advice on compliance; and
- Acting as the supervisory authority’s contact point and offer cooperation on compliance issues. (Each EU member state has a supervisory authority—or Data Protection Authority (DPA)—established to investigate and enforce violations of GDPR).
Article 38 also establishes rules for how companies interact with their DPO. Companies must provide the necessary resources to ensure that DPOs can keep their expertise current, and cannot dismiss the DPO for carrying out the tasks required by the GDPR. Data subjects are also permitted to contact the DPO with regard to all issues related to the processing of their personal data under the GDPR.
Importantly, under Article 38, the DPO cannot serve concurrent roles at the company that would create “conflicts of interest.” While the text of the GDPR does not specify what such a conflict might look like, the company should consider a DPO candidate’s competing roles within the company.
For example, a chief marketing officer could have a conflict if called upon to serve as DPO, given that she/he may have incentive to support more permissive or restrictive data policies in the role as CMO, than may be advisable in her/his role as DPO.
A company in-house attorney might ordinarily be a good choice; however, in the event of a data breach, that in-house counsel may have potential conflicts in overseeing (or even serving as a fact witness for) a lawsuit brought by data subjects after a data breach, while at the same time fulfilling the DPO’s role as the point of contact with those same data subjects.
Outside of this situation, however, a member of the company’s legal department with the required knowledge of the GDPR might otherwise be a strong candidate to serve as the company’s DPO.
Unfortunately, the text of the GDPR does not specify if any one of these situations would create a “conflict” for GDPR purposes. Given the murky definition of “conflicts” under Article 39, companies will want to monitor closely and be prepared to adjust their DPO’s outside duties as needed.
Should I Have a DPO If My Business Does Not Operate in the EU?
Many companies are appointing or have already appointed a DPO as part of their company’s data privacy compliance program, even if they are not required to comply with the GDPR.
With uncertainly surrounding new data privacy laws—including the CCPA—having a role within the company dedicated to ensuring compliance can help companies navigate this fast-changing field. A DPO could also be helpful in mitigating a company’s exposure in the event of a government investigation into a data breach or similar event, as a company’s transparency, cooperation and its good faith attempts at compliance are key measures in evaluation of penalties in U.S. enforcement actions.
European regulators (including EU member state supervisory authorities) have also looked to internal compliance procedures as a mitigating factor when assessing penalties for data law violations—in one of the first fines levied under the GDPR, the Baden-Wuerttemburg DPA (LfDI) cited the company’s implementation of robust internal data security measures as a mitigating factor.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Michael Keough is a law clerk in Steptoe’s San Francisco office who focuses his practice on complex commercial disputes and regulatory enforcement matters. Michael has extensive experience litigating complex commercial disputes in both federal and state courts throughout the U.S.
Jennifer Nelson is the senior associate general counsel of Prestige Consumer Healthcare, a publicly held, global consumer packaged goods company headquartered in Tarrytown, N.Y., that markets and sells brand name consumer healthcare products throughout the world.