How has the new requirement for a data protection officer (DPO) affected your client base?

The following article discusses session three in the IR Global Virtual Series on 'GDPR Live: Troubleshooting the EU's New Data Protection Legislation'

France – AMP The independence of a DPO is crucial, and, in practical terms, this independence is more likely to be guaranteed in structures with limited data processing where the role of the DPO is regular but not intensive. If they are only called when needed, then this relationship does not allow the creation of a real connection. On the other hand, if the DPO is hired on a full-time basis, this requires the organisation to keep a distance and to avoid conflicts of interest.

The DPO has a central role in the GDPR compliance process and, since the deliberation of the European Council was published on September 20, 2018, France’s national data protection agency, the Commission Nationale de l'Informatique et des Libertés (CNIL), is now able to grant competency certificate to DPOs on the basis of their own criteria.

It is not possible to define precisely when large scale processing becomes an alternative criterion to the appointment of a data protection officer (DPO) though. Indeed, the notion of “large scale” is based on a subjective assessment and neither the GDPR nor the CNIL has concretely defined this notion.

It may be noted that the G29 notably recommends taking the following points into consideration in order to determine whether or not data processing is carried out on a large scale: the number of people involved, the data volume, the duration or permanence of the data processing activity, the geographical scope of the processing activity.

However, large scale processing is still a concept in progress, which, we hope, will eventually be subject to a clearer definition, through decisions taken by organisation intervening in the protection of personal data (such as the CNIL or the G29).

More generally concerning the DPO, the CNIL has published guidelines in which the French organisation explains that it is not possible to provide a specific figure but does not exclude the possibility that, over time, a common practice can emerge. The CNIL indicated too that the WP 29 has anticipated contributing to this evolution by sharing and making known examples of relevant thresholds for designating a DPO.

In the meanwhile, we usually strongly advise our clients to appoint a DPO, at least outsourced, so that they are sure to be in conformity with the GDPR and avoid any penalties. The law does not require the appointment of a DPO in all the organizations which process data. However, we often advise our clients to appoint a DPO and to call an external provider only when the need arises. The scope of the GDPR is so wide that it is safer to use the services of a DPO who is a subject matter expert to limit the risks.

An external DPO, in close cooperation with lawyers, also allows small structures to be in conformity with the law at a lower cost. More specifically, for clients like SME (PME), the DPO provides technical support along with the law firm staff that is responsible for legal issues.

In addition, working with a DPO on the data matter shows how the client is involved in the process of compliance with GDPR and make his best efforts in order to protect the subject data.

Finally, we work in cooperation with foreign law-firms within cross-border files lead by a coordinator from the country where the data processing is the most important.

Belgium – MVS Article 37 (1) GDPR requires data controllers and processors to designate a DPO in any case where the processing is carried out by a public authority or body, and the ‘core activities’ of the controller/ processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.

A DPO is also required if the core activities of the controller/ processor require large scale processing of ‘special categories of data’ or personal data relating to criminal convictions and offences.

Many clients calling upon our GDPR expertise are not public authorities or do not engage in regular and systematic monitoring on a large scale as a core activity. Law firms, however, with clients in the public sector have their associates follow certification training courses of data protection officer. The bar associations encourage these courses by awarding points in the framework of compulsory permanent training for lawyers.

Article 29 Data Protection Working Party (‘WP29’) encourages the appointment of a DPO on a voluntary basis in cases where this is not mandatory, but we notice that our clients are not inclined to do so.

Unless it is obvious that an organisation is not required to designate a DPO, the WP29 recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly.

When a client appoints a DPO (mandatory or even voluntary), there is an obligation in Article 37 (5) to appoint a person on the basis of their professional qualities, who has expert knowledge of data protection law and practices.

DPOs must be independent, which means they cannot receive instruction regarding the performance of their tasks. Article 38 (3) even provides DPOs with a protected status, meaning that organisations cannot dismiss or sanction DPOs for performing their tasks. The controller and processor must also ensure that the DPOs’ tasks will not lead to any conflicts of interest.

Finally, even though WP29 states that DPOs are not personally responsible in a case of non-compliance with the GDPR, this is not explicitly stated in the GDPR regulation. This means that DPOs might be reluctant, given the civil remedies and sanctions regime that comes with the GDPR.

Germany – KS The role of the data protection officer has been known to German companies for a long time. For that reason, many companies did not concern themselves with the new regulation.

However, the GDPR has introduced a number of changes to the responsibilities and duties of the DPO. The role of the DPO has evolved from that of a person who is actively involved in data processing and documentation to a person responsible for monitoring and advisory function. This adjustment process is still taking place.

U.S. – California JSZ Right now, the DPO role at US start-ups is largely being assigned to a pre-existing IT officer, like a Chief Technology or Information Officer (CTO/ CIO). The general idea is that DPO responsibilities are subsumed within that officer’s duties.

With respect to issues surrounding ‘large scale’ processing and whether or not something qualifies, there is a lot of ‘I don’t know exactly what that means so let’s just assume this applies to you’ analysis is going on in the US.

Until there is clear guidance on what does not constitute large scale processing, the recommendation is to simply have a DPO and ensure that person is empowered to implement the client’s data security strategies.

We have told our clients that the person designated as the DPO needs to have clear independence to report to the board and make decisions on handling data breach recovery processes and required notifications to authorities and users. Our advice is basically to treat your DPO the way your head of human resources (HR) is treated with respect to a major internal investigation. They need to be viewed as 100 per cent independent and with 100 per cent authority to act. Practical realities hinge on how much of a separate role this is in the organisation versus simply an added title.

We have not really seen much in the realm of outsourcing DPO functions. This may be more of a Europe-centric phenomenon.

Luxembourg – VK The majority of our clients tend to systematically appoint a DPO, even though they are not obliged by law. The clients feel more comfortable by having their own DPO. The DPO is often seen as a person who will be in charge of, and responsible for all the GDPR obligations, and that appointing a DPO will resolve all the issues raised by the GDPR. The legal role of the DPO is often misunderstood by the clients, especially his independence towards the management of the company.

The DPO is generally chosen among the employees. None of our clients has outsourced the DPO role so far. The main reason is to avoid special expenses linked to the outsourcing of the function.

Bulgaria – PD We advise our clients to train appointed DPOs because this is of great importance for accountability and competitiveness in the business field, they operate in. What we try to do, is make GDPR compliance a competitive advantage for our clients and DPO plays a substantial role in the process.

The biggest challenge that we still see in our jurisdiction is the appointment of DPOs by public authorities, rather than in private organisations. A curious example is an appointment of the public relation officer as a DPO in addition to their primary function.

This happened in the state registry agency – the authority operating all the most important registers in Bulgaria – including the commercial register, the NGO register and the real estate register. For a few weeks in August, the commercial register just stopped working causing many problems and delays.

Months later it is not even clear what exactly happened and what the real damage was, however, as far as we know, this data breach was not even reported on time to the supervisory authority. This leads to the conclusion that the DPO role should be very carefully considered and is one of the key positions in the organisation.

Sweden – AFS The DPO must be able to work independently and without being influenced by others within the organisation. It is therefore important that the data protection officer does not have other tasks that can collide with their role as DPO. We see that some DPO’s are very much involved in the daily work with GDPR issues and that they draft contracts, policies and other documentation. Other DPO’s are acting more like internal auditors, surveilling and checking the daily work of others.

What can be considered "large scale" may be difficult to assess? It depends among other things on the number of data subjects, how much information is processed, the types of information that is processed, and for how long the information is processed. The Swedish Data Protection Authority (Datainspektionen) has provided the following examples on their web page. Examples of organisations that process personal data on a large scale: i) Hospitals – patient data, ii) public transport – journey data relating to individual travellers, iii) insurance companies or banks – information relating to customers' property and assets. Examples of activities where personal data is not processed on a large scale: i) an individual doctor processes patient data, ii) an individual lawyer processes personal data relating to convictions in criminal cases and criminal convictions and offences. See also page 7 of WP 243 Guidelines on Data Protection Officers.

The Swedish Data Protection Authority has already undertaken its first GDPR investigation. It has investigated if 350 companies and authorities have appointed a DPO. The majority of the companies and the authorities have appointed a DPO in time. About 16 per cent were not compliant. The situation is more or less the same within the public as within the private sector. The DPA did not impose any administrative fines but only reprimands. In two cases orders were issued.

Contributors

James Simpson (JS) Blaser Mills Law – England www.irglobal.com/advisor/james-simpson

Petya Dobrenova (PD) Karastoyanov, Mitkov & Associates Law Office – Bulgaria www.lawyers-bg.net/en/page/5

Valérie Kopéra (VK) Bonn Steichen & Partners – Luxembourg www.bsp.lu/professionals/counsel/valerie-kopera

Erdem Balkan (EB) Guzeldere & Balkan Law Firm –Turkey www.irglobal.com/advisor/erdem-balkan

Anna Fernqvist Svensson (AFS) Hellström advokatbyrå kb – Sweden www.irglobal.com/advisor/anna-fernqvist-svensson

Kathrin Schürmann (KS) Schürmann Rosenthal Dreyer Rechtsanwälte – Germany www.irglobal.com/advisor/kathrin-schurmann

Maarten Van Staeyen (MVS) QUORUM – Belgium www.irglobal.com/advisor/maarten-van-staeyen

Anne-Marie Pecoraro (AMP) ATurquoise – France www.irglobal.com/advisor/anne-marie-pecoraro

Jake Schwarz (JSZ) Pacific Crest Law Partners – U.S. – California www.irglobal.com/advisor/jake-schwarz

More from IR Global