Many organizations may decide to go with an outsourced DPO or DPO as a Service as a result of the intense competition for hiring Data Protection Officers in 2018. Article 37(6) explicitly authorizes an external data protection officer, although they must fulfill all of the requirements and tasks of an internal DPO. Article 37 permits a controller or a processor to hire a data protection officer for the data protection tasks on the basis of a service contract. The use of a DPO as a service is further explained in the WP29 Guidance on Data Protection Officers.
DPOs are considered cornerstones of accountability under the law and many organizations will find them a beneficial addition to their privacy efforts even if not strictly required to appoint them. The role of the DPO is to inform the company, its employees and any processors used of their obligations under the GDPR, monitor compliance with the law, provide advice concerning data protection impact assessments, and cooperate with the regulatory authorities.
Article 37 of the GDPR requires the appointment of a data protection officer when data processing is a core activity of the company, processing is happening on a large scale, or the company is engaged in regular and systematic monitoring including all forms of tracking on the internet for behavioral advertising.
There was no reference to a data protection officer in the Data Protection Directive. A handful of countries, including Germany, nevertheless mandated the appointment of a DPO for certain businesses or industries. Additionally, a number of other EEA countries, such as France, reduced or eliminated certain notification obligations if an organization voluntarily appointed a DPO and the company notified the DPO about its processing operations.
As such, a lot of companies are looking to add a DPO in 2018 because of GDPR. There have been a number of media reports surrounding the competition for DPOs. Reuters called the DPO “the hottest tech ticket in town” in February. The Wall Street Journal covered it with an article titled, “GDPR Is Almost Here, Let the … Talent Race Begin.” The International Association of Privacy Professionals has indicated that worldwide demand for data protection officers reaches 75,000. Given the competition, many companies may turn to an external data protection officer, also referred to as an “outsourced DPO”, in order to meet the law’s requirements.
What Businesses Need a DPO?
There is still uncertainty surrounding precisely which organizations are required to appoint a data protection officer. The Article 29 Working Party Guidelines on Data Protection Officers recommends that all organizations document their internal process for determining the applicability of Article 37 unless it is obvious that it does not apply. If it is determined that it does not apply, this decision should be subsequently reviewed after new activities or new services that might fall within Article 37(1).
The Article 29 Working Party Guidelines on Data Protection Officers provides some guidance on when a DPO is required by the GDPR. Most businesses which are not handling special categories of data or personal data related to criminal convictions and offences pursuant to Articles 9 and 10 on a large scale as part of their core activities will need to designate a DPO if they fall within the scope of Article 37(1)(b).
The controller and the processor shall designate a data protection officer in any case where: … the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
According to their guidance, the company’s “core activities” are the key operations necessary to achieve the organization’s goals. However, they do not include activities which are necessary or essential but are usually considered ancillary functions of the organization, such as paying employees or having standard IT support activities. These activites are carried out by all organizations regardless of their core activity.
The Working Party provides two key examples of core activities. The first is that the processing of health data is a core activity of a hospital, because the hospital could not provide healthcare safely without processing patients’ health records. The second is a private security company which carries out surveillance of private shopping malls and public spaces, which is “inextricably linked” to personal data processing. Both hospitals and security companies should be considered examples of companies requiring a DPO because their data processing is a core activity.
For the definition of “large scale”, the guidance suggests that it is not currently possible to give a precise number of data processed or individuals concerned which would automatically require the appointment of a data protection officer, but acknowledges that a standard practice may develop for certain common processing activities. Instead, the Article 29 Working Party asks organizations to consider a number of factors, including the number of data subjects concerned (either as a specific number or a proportion of the relevant population), the volume of data or data items being processed, the duration of the processing activity, and the geographical extent of the processing. The Working Party Guidelines provide six examples of large-scale processing and two examples of activities that are not large-scale.
The examples of what is large scale include:
– hospital processing of patient data
– tracking of travel data by a public transport system
– fast food chain processing of customer data to provide specialized services
– bank or insurance company processing of customer data in the regular course of business
– search engine processing of personal data for behavioural advertising
– telephone or internet service provider processing of content, traffic or location data
The examples of processing activities that are not large-sale include:
– individual physician processing of patient data
– individual lawyer processing of personal data relating to criminal convictions and offences
In a draft of the GDPR, large scale processing was defined as processing by companies with more than 250 employees or 5000 data records of EU citizens or residents. It has been used as a benchmark by some even though it was ultimately left out of the final version.
Regular and Systematic Monitoring
WP29 considers monitoring regular if it ongoing (or occuring at particular intervals for a particular period), recurring (or repeated at fixed times), or constantly/periodically taking place. WP29 considers monitoring systematic if it is occurring according to a system; pre-arranged, organized or methodical; taking place as part of a general plan for data collection; or carried out as part of a strategy. The Working Party presents a list of a number of activities that may constitute regular and systematic monitoring:
– operating a telecommunications network
– providing telecommunication services
– email retargeting
– data-driven marketing activitieis
– risk assessment profiling and scoring (e.g., credit scoring, fraud prevention, setting insurance premiums)
– location tracking
– loyalty programs
– beavioural advertising
– wearable device monitoring of wellness, fitnes and health data
– closed circuit televisions
– connected devices (e.g., smart cars or home automation)
The Tasks of a DPO as a Service
What roles must an external data protection officer perform under the GDPR?
– Inform and advise the organization and its employees to their obligations under GDPR and other data protection provisions
– Provide advice on data protection impact assessments
– Train employees involved in processing operations
– Monitor and audit compliance with the GDPR and other data protection provisions
– Act as the contact point for the supervisory authority and cooperate with them
Additional Information About an External DPO as a Service
The GDPR requires a certain level of independence between the organization and the DPO. Article 38(3) requires that the organization ensure that the data protection officer does not receive any instructions regarding the exercise of his or her tasks.
Communication and Resources
The organization must work closely with an external DPO in order to ensure that Article 38(1) is met and the outsourced DPO is involved in a timely manner on all personal data protection issues. The organization also most provide access to personal data, access to processing operations as well as the resources necessary to undertake the tasks of the DPO.
Conflicts of Interest
Similar to an internal DPO, an external DPO must avoid a conflict of interests pursuant to Article 38(6) in any other tasks and duties that they perform for the organization. For example, WP29 explains that a conflicting position is one that leads to the determination of the purposes and means of processing. A lawyer serving as DPO and representing the organization before the courts in cases involving data protection would also have a conflict of interest, according to WP29.
WP29 recommends that an organization, among other things, identify positions which would be incompatible with the DPO functions, draw up internal rules to avoid conflicts, specify the DPO role with sufficient precision to avoid a conflict, and declare that the DPO has no conflict of interest.
WP29 further suggests that if the outsourced DPO is an organization, the conflict of interest requirement applies to each of the individuals within the organization.
WP29 recommends that a single individual be assigned as the lead contact for each client in order to serve as the person in charge.
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Related Content