Among the mis/disinformation about GDPR readiness, I’ve noticed two trends. First, there are some who take a ho-hum approach to data security and advocate a wait-and-see approach to GDPR enforcement. That’s…that’s just a terrible idea, for reasons I hope are clear to you by now. The second trend is to go way too far in the other direction, and essentially argue that every company on earth will need to be fully GDPR compliant on May 25. I know, imagine it, something that’s not true made its way onto the internet. After predictions of doom, this latter group typically say that they are the solution to your woes, and make a strong pitch that you should hire them to be your Data Protection Officer (“DPO”), because the GDPR mandates that every company needs one, and only they can protect you.
Not quite. GDPR does require that some companies hire a DPO, and it may well be a good idea to establish the position even if it isn’t mandatory. But it is much more complicated than a simple yes/no answer. A DPO is meant to be a company’s primary authority figure for the protection of personal data and overseeing the requirements of any data security laws and regimes in place. Under the Regulation, DPOs will be far busier, handling data protection impact assessments, overseeing internal datasec policy and practices, and liaising with (or complying with demands from) supervisory authorities.
But DPOs are not a new invention; they have been a voluntary component of the Data Protective Directive, which has been the datasec framework for the EU since 1995. Under the Directive, the DPO’s tasks were primarily to notify supervisory authorities in the event of a breach and abide by whatever Member State laws required them to do. Some countries (like Portugal) did not establish DPO regulations at all, while others made hiring a DPO all but mandatory (Germany, for instance, required a DPO for all companies that employed more than nine people to process personal data).
The Regulation, as mentioned, aims to change all of that, and requires that some entities hire a DPO:
- Where the processing is carried out by a public authority;
- Where the company’s core activities are processing of personal data such that the company systemically monitors data subjects on a large scale, and;
- Where the company’s core activities are processing of special categories of data (sensitive information or criminal records).
In other words, governments, large-scale data consumers, and companies with very sensitive information (like arrest records or political beliefs) must have a DPO, because the risks to individual privacy are greatest in those sectors.
For most businesses, it’ll be clear if they fall into category 1 or 3; the second category is the tricky one. Are you processing enough personal data and tracking data subjects to qualify? It’s a question that will require serious analysis to answer properly. And even if you don’t qualify, it may be best to hire a DPO anyway, to allow your company the ability to have a single authority figure to lead GDPR/datasec compliance efforts. Another complication to consider is that the GDPR leaves open the possibility of more stringent Member State laws on when a DPO is necessary. If you do business in Germany, for instance, be prepared for regulations that go beyond the GDPR minimum, because the German Supervisory Authority (the BfDI) is a leader in promoting robust data security rules.
In the end, the real question is resource allocation. How much does it matter to your company to be compliant, and how much are you willing to spend to get there? For some businesses, a DPO doesn’t make much sense; existing leadership could handle the task. For others, if not a requirement, it’s something of a necessity. You have to decide, with good counsel, how to determine if hiring a DPO is the right investment for your business. Datasmart companies know how and when to make those choices – and for some, it’s a choice that will need to be made before May 25. So ask yourself the tough questions now.