1.) What is a DPO, anyway? What are they even supposed to do?
In a nutshell, the data protection officer is a senior adviser with oversight of how your organization handles personal data. Specifically, DPOs should be able to:
- Inform and advise your organization and staff about their privacy compliance obligations (with respect to the EU General Data Protection Regulation and other data protection laws).
- Monitor privacy compliance, which includes managing internal data protection activities, advising on data protection impact assessments, training staff, and conducting internal audits.
- Act as a first point of contact for regulators and individuals whose data you are handling (such as users, customers, staff, etcetera) (Article 39(1)).
2.) But we’re not based in Europe, so do we even need one?
Well, even if you aren’t required to have one, you should have one.
If you’re processing, managing or storing personal data about EU residents, you’ll need to comply with the requirements of the GDPR — this is one of those requirements, whether you’re based in the EU or not.
Specifically, the GDPR requires that you appoint a DPO in certain circumstances (Article 37(1)).
These include if you carry out "large scale" systematic monitoring of individuals (such as online behavioral tracking).
You’ll also need to appoint a DPO if you carry out "large scale processing of personal data," including:
- "Special categories of data" as set out in Article 9 — that is, personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric identifiers, health information, or information about person’s sex life or sexual orientation.
- Data relating to criminal convictions and offenses (per Article 10).
The Article 29 Working Party has stated that "large scale" processing could include, for example, a hospital processing its patient data, a bank processing transactions, the analysis of online behavioral advertising data, or a telco processing the data required to provide phone or internet services.
Even if you don’t fit into one of these categories, you can still appoint a DPO in the spirit of best practice and to ensure that your company is leading from the top when it comes to privacy.
In this respect, New Zealand is already ahead of the game. Entities covered by the New Zealand Privacy Act are already required to have a privacy officer, and they largely fulfill the same functions as a DPO. However, they’ll still need to meet the other DPO requirements; see below.
While Australia hasn’t made having a privacy officer an express requirement for the private sector, the Office of the Australian Information Commissioner recommends that companies appoint a senior privacy officer as part of an effective privacy management framework.
Government agencies aren’t off the hook
Being public service will not save you. Public authorities that collect the information of EU residents are also required to have a DPO (Article 37(1)).
It’s worth noting that Australian government agencies will need to appoint privacy officers and senior privacy "champions" under the Australian Government Agencies Privacy Code, which came into force July 2018. Agency privacy champions may also be able to serve as the DPO.
As New Zealand covernment agencies already have privacy officers, the only question they must answer is whether their privacy officer meets the other DPO requirements; see below.
3.) OK, fine. We get it. We need a DPO. Whom should we appoint?
The DPO needs to be someone who reports to the "highest management level" of your organization — that is, board-level or senior executive (Article 38(3)).
They’ll need to be suitably qualified, including having expert knowledge of the relevant data protection laws and practices (Article 37(5)).
The DPO also needs to be independent; they can’t be directed to carry out their work as DPO in a certain way or be penalized or fired for doing it (Article 38(3)). You’ll also need to ensure they’re appropriately resourced to do the work (Article 38(2)).
If you’re a large organization with multiple corporate subsidiaries, you can appoint a single DPO as long as they are easily accessible by each company (Article 37(3)).
You can appoint one of your current staff as DPO (Article 37(6)), as long as their other work doesn’t conflict with their DPO responsibilities (Article 38(6)). This means that you can’t have a DPO that works on anything that the DPO might be required to advise or intervene on. That is, they can’t also have operational responsibility for data handling. This means you can’t, for example, appoint your chief security officer as your DPO.
4.) But that means we can’t appoint any of our current staff. We can’t take on any new hires right now. Can we outsource this?
Yes, you can appoint an external DPO (Article 37(6)), but whomever you contract will still need to meet all the above requirements.
Some smaller companies might not have enough work to justify a full-time DPO; an outsourced part-time DPO might be a good option for these organizations.
It might also be hard to find qualified DPOs, at least in the short term; IAPP has estimated that there will be a need for 28,000 DPOs in the EU. A lot of companies in Australia and New Zealand are already having trouble finding qualified privacy staff, so some companies might have to share.
5.) This all seems like a lot of trouble. Can we just wing it?
I mean, sure. If you really want to. But under the GDPR, failure to meet the DPO obligations may attract an administrative fine of up to 10 million euros or up to 2 percent of your annual global turnover (Article 83(4)). Previous regulatory action in the EU on privacy issues has also gained substantial media attention. Is it really worth the risk? Especially given that, in the long run, having robust privacy practices will help you keep your users and your customers safe — having an effective DPO may well save you money.