The International Association of Privacy Professionals surveyed 65,000+ respondents worldwide and published a report on information security professionals. 74% of companies hired a Data Protection Officer in 2021. 41% of companies involved one information security officer in the team, 18% - had two or more, and another 15% preferred outsourcing.
The Tech-industry has become the leader in the implementation of information security measures.
What is a DPO? What companies do need a Data Protection Officer? What is the role of a Data protection office? Let's figure it out.
The text of the article contains three terms: data subject, controller and processor. Let's quickly explain what they mean.
The data subject provides information collected, processed and stored by the company. For example, a Facebook user would be a data subject because they transfer personally identifiable information to the corporation. Facebook will be the controller because it collects data directly from the user and decides how to process it further. The processor (operator) processes the data on behalf of the controller. It does not determine the purposes of processing, but merely provides services.
Does your company need a Data Protection Officer?
DPO is a mandatory condition only in specific cases.
There are three questions to understand if you need such a specialist.
1. Does the GDPR apply to your company?
The GDPR rules apply to your business if it is located in the EU or processes the data of EU citizens. Namely, you sell goods or provide services, collect and process the personal information of IT product users, and hire employees.
If any of the above characterizes your business, move on to the next question.
2. Does your company conduct regular, systematic data monitoring on a large scale?
Regular processing refers to continuous or intermittent actions. And in systematic processing - pre-organized activity within the framework of the company's strategy.
If the processing of personal data is necessary to achieve the goals of the organization, the answer to the question is yes. It means you need to have a Data Protection Officer.
3. Does your company collect special categories of personal data from individuals?
Such data includes health, sexual orientation, racial or ethnic origin, political views, religion. As well as genetic and biometric data.
If the answers to questions 2 or 3 are yes, you need a Data Protection Officer. This is expressly provided for in Art. 37 GDPR. But, even if the answers are negative, you can engage a DPO in the team to systematically implement data protection measures and monitor the implementation of information security policies.
For example, a clinic is developing an IT solution for online consultations with clients and medical document storage. For this reason, the company processes sensitive health data, and it's their main activity. It means that the company must have a DPO. An IT company, in this case, is involved in the development and technical support of the product. Then the clinic acts as a data controller and the IT company as a co-controller or processor. For example, if an IT company provides hosting services, it's status is co-controller. If the function is in software design, it's the processor.
What does a Data protection officer do?
A Data Protection Officer is a qualified specialist who develops and implements an information security strategy in an organization. The list of DPO tasks is enshrined in Art. 39 GDPR. Below we analyze its functions in detail.
DPO informs the top management and the team about the technical and organizational measures they need to implement. Thus, the specialist shapes the culture and rules for personal data protection within the company. For example, he develops strategies, participates in the development of documentation, and conducts training lectures for the team, monitoring changes in legislation.
There is an example of DPO expertise - the organization of marketing processes. Before developing and implementing a strategy, it is worth consulting with the DPO. The telecom operator TIM disregarded this advice and, in January 2020, received a fine of EUR 27.8 million for an aggressive marketing strategy. The company violated five articles of the GDPR at once: Art. 5 - principles of personal data processing, art. 6 - lawfulness of processing, Art. 17 - the right to be forgotten, Art. 21 - the right to object and Art. 32 - processing safety.
The Italian Data Protection Authority found the following violations.
- A call center on behalf of TIM made millions of cold calls directed to potential customers without their consent. Some numbers were contacted up to 155 times a month!
- The company collected consent with a single subscription for several purposes.
- To access the program, customers had to agree to advertising.
- TIM has failed to properly manage lists of data subjects who wished to remove personal information from advertising campaigns.
- TIM kept data in the CRM system for a period exceeding the legal limits (10 years).
If the company engaged a DPO to the team or used outsourced consulting, the marketing strategy could have been built without violating the GDPR, and without compromising the results of advertising campaigns.
The duty of a specialist is an internal and external audit of collecting, processing and storing data for compliance with GDPR. DPO checks the accuracy of information in the protocols of processing operations, namely list of operations, purposes, data subjects, storage period, security measures, recipients, and facts of data transfer outside the EU. In addition, the specialist implements tools for tracking and controlling processing: analysis of logs, detection of prohibited data, and verification of compliance with storage deadlines.
The obligations of a DPO include control over processing not only IT products data users and customers but also employees within the company.
Documentation of processing activities
Documentation demonstrates compliance with legal requirements. Therefore, one of the DPO tasks is to control maintenance and update the content.
- It is crucial for outsourcing IT companies to enter into Data protection agreements with clients and contractors and fill out GDPR questionnaires for working with large customers.
- Digital agencies describe DPO status and personal data processing processes in contracts.
Below is a list of GDPR-required internal and external documents.
- Privacy Notice is a public statement about how your organization practices data processing practices.
- Data Subject Consent Form. The organization must obtain permission from data subjects to collect, process and store their personal information through a consent form.
- DPIA registry is used to document data protection impact analysis.
- Data protection agreement with contractors, employees and contractors.
- Personal Data Protection Policy - a description of the processes for protecting the personal information of data subjects.
- Employee Privacy Notice explains how an organization handles employee personal information.
- Data Retention Policy captures how information is organized so that it can be accessed at any time, and how an organization manages data that is no longer needed.
- Data Retention Schedule determines how long data items are retained and fixes recommendations for their removal.
- Data Breach Response and Notification Procedure.
- Data Breach Registry - is an internal record of all personal data leaks.
- Data Breach Notification Form to the Supervisory Authority.
- Data Breach Notification Form for Data Subjects.
- Job description of a Data Protection Officer - is an explanation of the level of responsibility and duties in the field of information security to the team involved in data processing processes.
- An inventory of processing activities. This document is mandatory if the organization employs more than 250 employees; processing is a risk to the rights and freedoms of data subjects, or it isn't random and includes special categories of data.
- Standard Contractual Clauses. For example, your company is a GDPR subject and transfers personal data to a non-EU country.
DPO monitors not only the availability of documents but also the content.
The interface also matters.
Communication with the supervisory authority and data subjects
The DPO acts as a facilitator: reporting data breaches, responding to inquiries during investigations, dealing with complaints, and advising in the framework of the Personal Data Protection Impact Assessment (DPIA).
Art. 37 GDPR obliges the controller or processor to publish the contacts of the DPO and communicate these to the supervisory authority. Art. 38 GDPR stipulates that data subjects contact the DPO on all matters related to their data processing.
The International Association of Privacy Professionals has published a list of the most sophisticated tasks for DPO. Compliance with cross-border data transfer requirements takes first place. It is followed by data protection impact analysis and privacy impact assessment, employee training and data subject rights management.
Conflict of interest in DPO work
The DPO may have other core responsibilities within the company, but any conflict between them should be ruled out. For example, Chief Risk Officer (CRO), Chief Financial Officer (CFO), Chief Information Security Officer (CISO) or even a Chief Information Officer (CDO) performs often DPO’s functions.
The situation where DPO acts as the Head of the Data Processing Department contradicts the very essence of the profession, since it is impossible to maintain a balance of interests.
In addition, the DPO shouldn't be instructed to perform duties. This clause is stipulated in Art. 38 GDPR. A security officer cannot be fired or punished for performing his duties. Therefore, he needs a high degree of autonomy.