Advice on Selecting a Data Protection Officer

Written by: Sean Cox, Esq.

Having a single person responsible for a company’s data privacy and security has long been good business practice, but for many it will soon be a legal requirement. The GDPR requires that organizations under its auspices appoint a Data Protection Officer (“DPO”). These requirements apply to more than just companies located in the EU – the GDPR and the requirement of naming a DPO applies to companies whose data is located or transferred into the EU or which targets EU citizens. According to the GDPR, the role of an organization’s DPO, as laid out in Article 39, is to provide legal guidance for the entity, monitor the company’s GDPR compliance, and coordinate with relevant regulatory authorities. Careful thought should be given to who will fill the DPO position and how its responsibilities should be defined. With potential penalties of up to 4% of a company’s annual worldwide turnover, the GDPR may only be ignored at significant risk.

The knowledge requirements for the DPO position are significant. The International Association of Privacy Professionals analyzed the GDPR training market and estimates that it takes approximately 21 hours of training to obtain the minimum basic understanding of the GDPR in order to function as a DPO. To be effective the DPO will need to be knowledgeable in the details of the company’s business, its IT systems, and the applicable data privacy legal requirements.

Moreover, the position itself must be designed with care. The DPO role cannot be assigned to a low-level employee. The GDPR requires that an organization’s DPO have access to the highest levels of company leadership. It is also unlikely the duties can be assigned to an existing position. DPOs are expected to be free from any conflicts of interest within the company as it relates to data privacy and GDPR compliance. For example a CFO’s duties to limit financial costs or the CIO’s oversight of the IT infrastructure may come into conflict with data privacy compliance. These potential conflicts likely prevent existing officers from also serving as the DPO. For most organizations, the DPO will need to be a stand-alone position.

It is also critical to evaluate the person being chosen to serve as the DPO, beyond simply their qualifications. Under the GDPR, the person serving as a DPO is given legal job protections, which are likely to make it much more difficult to dismiss or reassign the person selected as DPO. Bad decisions in selecting a DPO will likely be more difficult to fix.

Considering all of the inherent difficulties in identifying a DPO, it is no surprise that an industry to fill this need has already sprung up. There is no requirement in the GDPR that the DPO be an employee of the organization. Already there is a burgeoning industry of law firms, consulting firms, IT security firms, and others offering DPO services. The most obvious benefit to outsourcing the DPO role is simplicity. Outsourcing the role is the simplest way to fill the required position with the shortage of qualified candidates. Moreover, third-party DPO providers have a depth of experience working with and responding to regulators that is unlikely to exist for the typical in-house DPOs.

However, in today’s legal and regulatory environment, having a high-level employee dedicated to, or at least ultimately responsible for, data privacy and security issues is just good business practice. Second, a DPO must understand the company and its business processes, including what data the company collects, how and where it is stored, how it is used, when it is deleted, and the safeguards in place. This familiarity in unlikely outside the organization. Considering the competition as the GDPR looms, it is clear that filling a DPO position will be no easy task. While many organizations may be tempted to outsource this role, it is urged that careful thought be given to this decision. Considering the potential consequences under the GDPR, a dedicated DPO intimately familiar with the company is recommended.