Blog /

Who Needs a Data Protection Officer, and What are His/Her Functions?

The International Association of Privacy Professionals surveyed 65,000+ respondents worldwide and published a report on information security professionals. 74% of companies hired a Data Protection Officer in 2021. 41% of companies involved one information security officer in the team, 18% - had two or more, and another 15% preferred outsourcing.

 

The Tech-industry has become the leader in the implementation of information security measures.

What is a DPO? What companies do need a Data Protection Officer? What is the role of a Data protection office? Let's figure it out.

 

The text of the article contains three terms: data subject, controller and processor. Let's quickly explain what they mean.

The data subject provides information collected, processed and stored by the company. For example, a Facebook user would be a data subject because they transfer personally identifiable information to the corporation. Facebook will be the controller because it collects data directly from the user and decides how to process it further. The processor (operator) processes the data on behalf of the controller. It does not determine the purposes of processing, but merely provides services.

 

Does your company need a Data Protection Officer?

DPO is a mandatory condition only in specific cases.

There are three questions to understand if you need such a specialist.

1.      Does the GDPR apply to your company?

The GDPR rules apply to your business if it is located in the EU or processes the data of EU citizens. Namely, you sell goods or provide services, collect and process the personal information of IT product users, and hire employees.

If any of the above characterizes your business, move on to the next question.

2.      Does your company conduct regular, systematic data monitoring on a large scale?

Regular processing refers to continuous or intermittent actions. And in systematic processing - pre-organized activity within the framework of the company's strategy.

If the processing of personal data is necessary to achieve the goals of the organization, the answer to the question is yes. It means you need to have a Data Protection Officer.

3.      Does your company collect special categories of personal data from individuals?

Such data includes health, sexual orientation, racial or ethnic origin, political views, religion. As well as genetic and biometric data.

If the answers to questions 2 or 3 are yes, you need a Data Protection Officer. This is expressly provided for in Art. 37 GDPR. But, even if the answers are negative, you can engage a DPO in the team to systematically implement data protection measures and monitor the implementation of information security policies.

 

For example, a clinic is developing an IT solution for online consultations with clients and medical document storage. For this reason, the company processes sensitive health data, and it's their main activity. It means that the company must have a DPO. An IT company, in this case, is involved in the development and technical support of the product. Then the clinic acts as a data controller and the IT company as a co-controller or processor. For example, if an IT company provides hosting services, it's status is co-controller. If the function is in software design, it's the processor.

 

What does a Data protection officer do?

A Data Protection Officer is a qualified specialist who develops and implements an information security strategy in an organization. The list of DPO tasks is enshrined in Art. 39 GDPR. Below we analyze its functions in detail.

 

Consulting

DPO informs the top management and the team about the technical and organizational measures they need to implement. Thus, the specialist shapes the culture and rules for personal data protection within the company. For example, he develops strategies, participates in the development of documentation, and conducts training lectures for the team, monitoring changes in legislation.

 

There is an example of DPO expertise - the organization of marketing processes. Before developing and implementing a strategy, it is worth consulting with the DPO. The telecom operator TIM disregarded this advice and, in January 2020, received a fine of EUR 27.8 million for an aggressive marketing strategy. The company violated five articles of the GDPR at once: Art. 5 - principles of personal data processing, art. 6 - lawfulness of processing, Art. 17 - the right to be forgotten, Art. 21 - the right to object and Art. 32 - processing safety.

The Italian Data Protection Authority found the following violations.

  • A call center on behalf of TIM made millions of cold calls directed to potential customers without their consent. Some numbers were contacted up to 155 times a month!
  • The company collected consent with a single subscription for several purposes.
  • To access the program, customers had to agree to advertising.
  • TIM has failed to properly manage lists of data subjects who wished to remove personal information from advertising campaigns.
  • TIM kept data in the CRM system for a period exceeding the legal limits (10 years).

 

If the company engaged a DPO to the team or used outsourced consulting, the marketing strategy could have been built without violating the GDPR, and without compromising the results of advertising campaigns.

 

Monitoring

The duty of a specialist is an internal and external audit of collecting, processing and storing data for compliance with GDPR. DPO checks the accuracy of information in the protocols of processing operations, namely list of operations, purposes, data subjects, storage period, security measures, recipients, and facts of data transfer outside the EU. In addition, the specialist implements tools for tracking and controlling processing: analysis of logs, detection of prohibited data, and verification of compliance with storage deadlines.

In December 2020, Swedish healthcare provider Capio St. Goran received a EUR 2.9 million fine. The audit showed that the company didn't conduct a proper risk assessment and didn't implement effective access control. As a result, too many employees had access to sensitive customer data. In this case, the DPO had to conduct an assessment to determine which employees needed access to medical records.

 

The obligations of a DPO include control over processing not only IT products data users and customers but also employees within the company.

In October 2020, the Hamburg Data Protection Authority fined H&M with EUR 35 million for collecting and storing family, religion and medical history information of their employees for illegal reasons. Company managers conducted interviews with employees after vacations and sick days and kept the details of these conversations, including details of illnesses and diagnoses. In addition, managers received information about the private life of employees: family problems and religious beliefs. Some of this data has been digitally recorded and is available to 50 other managers throughout the company.

 

Documentation of processing activities

Documentation demonstrates compliance with legal requirements. Therefore, one of the DPO tasks is to control maintenance and update the content.

  • IT products need a Privacy Policy and a Data Subject Consent Form. Documents are necessary to connect the acquiring system, publish mobile applications in the AppStore and GooglePlay, connect Google Analytics and Google Ads, collect data using cookies, and use remarketing.
  • It is crucial for outsourcing IT companies to enter into Data protection agreements with clients and contractors and fill out GDPR questionnaires for working with large customers.
  • Digital agencies describe DPO status and personal data processing processes in contracts.

 

Below is a list of GDPR-required internal and external documents.

External Documents

  • Privacy Policy for IT products: marketplaces, mobile applications, GameDev, SaaS solutions and others.
  • Privacy Notice is a public statement about how your organization practices data processing practices.
  • Data Subject Consent Form. The organization must obtain permission from data subjects to collect, process and store their personal information through a consent form.
  • DPIA registry is used to document data protection impact analysis.
  • Data protection agreement with contractors, employees and contractors.
  • Personal Data Protection Policy - a description of the processes for protecting the personal information of data subjects.
  • Employee Privacy Notice explains how an organization handles employee personal information.
  • Data Retention Policy captures how information is organized so that it can be accessed at any time, and how an organization manages data that is no longer needed.

 

Internal documents

  • Data Retention Schedule determines how long data items are retained and fixes recommendations for their removal.
  • Data Breach Response and Notification Procedure.
  • Data Breach Registry - is an internal record of all personal data leaks.
  • Data Breach Notification Form to the Supervisory Authority.
  • Data Breach Notification Form for Data Subjects.
  • Job description of a Data Protection Officer - is an explanation of the level of responsibility and duties in the field of information security to the team involved in data processing processes.
  • An inventory of processing activities. This document is mandatory if the organization employs more than 250 employees; processing is a risk to the rights and freedoms of data subjects, or it isn't random and includes special categories of data.
  • Standard Contractual Clauses. For example, your company is a GDPR subject and transfers personal data to a non-EU country.

 

DPO monitors not only the availability of documents but also the content.

In August 2021, the Irish DPA imposed the €225m fine on WhatsApp. They failed to properly explain the data processing methods in the Privacy Policy. It is up to the DPO to ensure that the privacy notice is posted in an easily accessible format, in a language that users can understand. If a company refers to “legitimate interests” in the personal data processing, it must be explained what these interests are concerning each processing operation.

 

The interface also matters.

In January 2022, the CNIL in France imposed EUR 60 million fine on Facebook  for failing to obtain proper cookie consent from the users.  Corporate DPO should track the user journey and audit the usability of products. The Facebook security officer failed to cope with this task. CNIL noticed that the interface (consent form) offered no options other than "accept cookies". The user felt that it was impossible to refuse the storage of cookies and that there was no way to manage them.

 

Communication with the supervisory authority and data subjects

The DPO acts as a facilitator: reporting data breaches, responding to inquiries during investigations, dealing with complaints, and advising in the framework of the Personal Data Protection Impact Assessment (DPIA).

Art. 37 GDPR obliges the controller or processor to publish the contacts of the DPO and communicate these to the supervisory authority. Art. 38 GDPR stipulates that data subjects contact the DPO on all matters related to their data processing.

 

The International Association of Privacy Professionals has published a list of the most sophisticated tasks for DPO. Compliance with cross-border data transfer requirements takes first place. It is followed by data protection impact analysis and privacy impact assessment, employee training and data subject rights management.

 

Conflict of interest in DPO work

The DPO may have other core responsibilities within the company, but any conflict between them should be ruled out. For example, Chief Risk Officer (CRO), Chief Financial Officer (CFO), Chief Information Security Officer (CISO) or even a Chief Information Officer (CDO) performs often DPO’s functions.

In April 2020, the Belgian Data Protection Authority imposed a €50,000 fine on a telecom operator for failing to comply with GDPR requirements when appointing a DPO. One employee combined the functions of the Head of the audit, risk and compliance department and the security officer. This situation can be described as “self-control”. Since the same person determines the purposes and means of data processing, he controls their GDPR compliance. The oversight body decided that the DPO did not have sufficient independence in such circumstances.

 

The situation where DPO acts as the Head of the Data Processing Department contradicts the very essence of the profession, since it is impossible to maintain a balance of interests.

In addition, the DPO shouldn't be instructed to perform duties. This clause is stipulated in Art. 38 GDPR. A security officer cannot be fired or punished for performing his duties. Therefore, he needs a high degree of autonomy.

 

 

Article menu
Follow the latest news
Latest articles
Call me back IT lawyer will contact you
to discuss details
Thanks for reaching out!

An IT lawyer will contact you with legal solutions

OK
Thank you for your request!

An IT lawyer will call you back to discuss details

OK
Thank you for your review!

We would love it if you tell your friends and colleagues about us

OK
Thank you for your inquiry!

The IT legal team will contact you with options solutions

OK
Thank you for your inquiry!

An IT lawyer will contact you with a few more questions

OK
Thank you for your interest!

Await advice from IT lawyers

OK
Thank you for your inquiry!

The IT legal team will prepare a solution for you

OK
Thank you for contacting us!

An IT lawyer will analyze your situation and offer a solution

OK