Editor's Note:
This is the second in a two-part series of Perspectives posts on the hiring of data protection officers in the EU. Inpart one, Gonca Dhont discussed when organizations should hire a DPO, differences between DPOs and CPOs, the types of knowledge base candidates should have, and much more.
We have 20 separate legal entities across five countries in Europe. All are required to appoint a DPO as per the Regulation. Can we not just appoint a single in-house DPO to serve all of them?
Although the GDPR in principle replaces national data protection laws, some local differences will remain. These differences can be found in local laws other than data protection, in DPA reflexes and in the expectations of the citizens. Moreover, we expect the DPO to be the face of the company to the external world (DPAs and data subjects) and this task will require local language skills. Therefore, make sure your DPO has the necessary skills to address these local differences while performing tasks across different Member States.
The dream solution would be to appoint a DPO per country but given the budgetary challenges in our community, it remains a dream. Perhaps a more reasonable approach would be to group similar jurisdictions (e. g. South Europe, the Nordics) and appoint a DPO per each group.
Our DPO will assist all of our European entities. In which European country should we locate the person? Can we locate him or her outside Europe?
There seems to be no limitation on the base location of the DPO as long as she or he is easily accessible from each entity. By “easy accessibility” we do not think that the drafters meant physical accessibility but more the easiness of reaching out to the DPO for guidance. This should not be an issue, thanks to the current communication technology.
Can you locate the DPO outside Europe? Answer this first: Can your DPO really build a strong bond with your European business remotely? It is a brand new role. Regardless of the DPO location, it will be difficult for the rest of the organization to understand why the person is there and who she or he serves. Keeping the person in another continent far from his or her internal clients may have a negative impact on the person’s acceptance. Plus, the DPO needs to work with the DPAs very closely and this may include last-minute meetings!
Will the DPO report to our CPO?
Not directly; unless your CPO is the highest management level in any of your European entities. Check your organization chart to see the highest management level of your European entity. Needless to say, while your DPO is a direct report of the local management, she or he can also be connected to your CPO with a dotted-line. This is not a new working model for companies with matrix structures.
If multiple entities of the same group share a single in-house DPO, what will the reporting line look like?
Although the DPO will be officially employed by one of the legal entities, she or he would have a solid-line reporting relationship with the highest management levels of all entities in the scope. This situation must be made clear to the employee right from the start. Next to this, you must properly inform the top management of your local entities about this role, the person’s tasks and their own responsibilities, as explained in the Regulation.
Is it true that the DPO will work totally independently while performing his or her job? No one in an organization is independent.
In our view, the phrase “no instructions” in the Regulation refers to an operational independence to fulfil the key tasks. As a subject-matter-expert, the DPO is there to help your organization to reach business targets in a compliant way. She or he must be able to provide advice freely on the compliant course of action. The decision to follow this expert’s advice ultimately lies with the business.
What is the minimum period for a DPO appointment?
There is no limitation on the length of this tenure.
What is the personal liability of the DPO for compliance failures?
There is no indication that the DPO can be held personally liable for cases of non-compliance.
Is it true that the DPOs cannot be dismissed once they are officially appointed?
The Regulation says that you cannot dismiss or penalize the DPO just because the person is doing his or her job (e.g. cooperation with the local DPA). If the person has another role in addition to being a DPO, this protection applies only for the DPO tasks.
Does it make sense to look internally first within the organization before hiring a DPO from outside?
From a talent management perspective, always. Once you have defined your ideal candidate profile, scan your organization to see whether any of your employees meet the criteria and have a little chat to confirm the person’s interest for a full-time DPO job.
If the decision is not to create a full-time headcount but to give the DPO tasks to an existing staff member, there are a couple of points to which you need to pay attention. The first one is the proper estimation of the DPO’s workload with tasks ranging from advising to monitoring, training and interactions with the external world. The job can even get heavier if we speak of a large organization with various business lines and services. Are you sure all of this can be done with a part-time resource?
Secondly, you need to make sure that the person’s DPO tasks will not conflict with his or her regular function. Which functions are not compatible with the DPO tasks and may create a conflict of interest? These could be the ones which are typically related to the “monitoring” task of the DPO; functions either too close to the data flows and processing (e.g. HR, marketing, product development, vendor management), the ones which are responsible for information security systems (e.g. IT, information security), or a function which by nature require defending corporate interests (e.g. legal).
If you cannot find the right DPO profile from within the organization, you will need to recruit a good DPO externally.
What other options do we have if we do not want to create a permanent headcount?
You can search for a knowledgeable and experienced professional who will work on the basis of a service contract. So far, it has been quite common for companies across Europe to hire an external privacy consultant for a specific project (e.g. a PIA for a new software launch). With the Regulation, now there is the possibility to assign such an expert on an ongoing basis and with an official DPO title.
Businesses have some concerns at this point. One of them is the possible negative perception of an “outsider,” just as it happens with other external consultants. Note that, even for an in-house DPO, it will take some time to build the right perception within the company (an advisor? a policeman?) and gain acceptance. This may get more challenging if the person is an external.
Some are also concerned that an external DPO would not have sufficient knowledge of the business and this could result in less compliance. This depends on the amount of time the external DPO will spend at your organization. If you take this person on a full-time basis and the only difference to a regular employee would be the contract type, then the initial onboarding period won’t be longer than any other new person on an employment contract. Going forward, as the external DPO is timely involved in all matters and works closely with the teams she or he will gather sufficient knowledge on your business.
You may make a combination of in-house and external DPOs, too. In that case, you may wish to consider factors such as the size of your entities, type of data/processing which impact their risk levels and the general level of awareness for privacy within each entity.
If we decide to recruit an external DPO to assist a group of legal entities, does the DPO need to sign a service contract with each of them?
Depending on your procurement practises, one of the entities which has the authority to represent others, can sign the service contract with the DPO. Make sure this contract lists all entities which will benefit from the DPOs services, the correct reporting lines and possibly also how the DPOs time will be split between entities. Another option is to allow each entity signing its own contract with the DPO, but this may prove to be impractical.
We are a non-EU based company subject to the Regulation and to the DPO provisions. How will we appoint a DPO, where should we locate the person, who should s/he report to?
Appointing an external DPO on the basis of a service contract could be a solution. As for the location, you can position your DPO in the Member State where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. Your DPO would report to the highest management level of your company.
Finding the right DPO, and in a timely manner, will be a challenge for every business, but it can definitely be planned better!