Data Protection Officers (DPOs): emerging trends and challenges
November 01, 2018
As we embrace the GDPR ‘Live’ environment, businesses and their DPOs are now busy operationalising their privacy compliance programmes in this new business as usual (“BAU”) world of transparency, accountability and user rights.
We are seeing the emergence of some common themes in terms of the challenges facing businesses and their DPOs.
Organisations need to ensure that their DPOs are provided with a sufficient level of autonomy to perform their activities. This means that in fulfilling their tasks under the GDPR, DPOs must be independent and not be “instructed” on how to deal with a specific matter. In addition they cannot undertake additional duties or roles that may result in a conflict of interest. These requirements can create operational and cultural challenges for businesses, particularly as the business will ultimately be responsible for compliance with the GDPR in its capacity as a data controller or processor.
Organisations must therefore give careful consideration as to who will fill the DPO role and the specific tasks they will be assigned under GDPR to avoid potential overlap with the responsibilities of Legal, Internal Audit and Financial departments. Additional activities that could lead to the DPO determining the purpose and means of data processing activities should also be avoided so as to avoid potential conflicts of interest. This will need to be considered on a case by case basis and kept under review depending on the structure of the business, however Senior IT, Operating or Marketing positions are some of those that could present such issues.
2. Local requirements for a DPO and notification requirements
Whilst the GDPR includes specific criteria to determine when a DPO is required it also allows member states to implement additional and specific requirements at a local level. In Germany for example, the threshold for appointing a DPO is much lower and is generally triggered where a business has a minimum of ten employees that are permanently engaged in the automatic processing of personal data. Where a DPO is appointed for a group of companies the DPO should therefore continue to monitor local requirements.
Article 37(7) of the GDPR also requires businesses to communicate their DPO’s contact details to the relevant Supervisory Authority (‘SA’). Whilst both the GDPR text and Article 29 Working Party/European Data Protection Board guidance remain silent on the exact practicalities of this point, some Supervisory Authorities have their own rules on how this should be done. In the UK for example, the notification can be made as part of paying the relevant data protection fee or by sending an email to the ICO with the relevant details. However in Poland notification has to have taken place within certain timeframes, as well as the submission of specific items of information electronically, qualified by electronic signature. In addition in countries that have Works Council obligations, it is wise to check whether this might also trigger any notification obligations to such bodies.
3. ‘One-Stop Shop’
Under GDPR, organisations operating in a number of EU locations may appoint a DPO to cover a number of locations and choose to nominate a lead Supervisory Authority (‘One Stop Shop’). This is the Authority that the DPO will contact for compliance activities such as registering a DPO, notifying a high risk processing activity or a data security breach.
In practice the DPO may still need to deal with other supervisory authorities as there are instances where local supervisory authorities may still get involved e.g. where an incident may have a specific impact on local residents. This means that the DPO may need to deal with other Supervisory Authorities in addition to the Lead regulator and will therefore need to ensure that it has appropriate processes in place to deal with this (e.g. Communicating in local language if required).
4. User Rights requests
In transitioning to this new BAU world, businesses need to ensure that they build robust procedures to recognise and process user right’s requests from individual customers, privacy advocates etc. In some cases the individuals making the requests may be unclear on the scope of the new rights and their applicability, such as the right to erasure or portability. Practical internal training, policies and procedures are absolutely key here, with clear guidance on when businesses do (and do not) need to comply with such requests, how to respond to such requests and what information should be provided. Further consideration should be given to potential technical solutions for responding to large volumes of requests.
Under the GDPR in specific cases where processing creates a “high risk” to individuals a Data Protection Impact Assessment (DPIA) will be required and the DPO will need to be involved in such procedures. In practice DPIAs should only be required in limited cases but there will be instances where determining whether there is a “high risk “ is difficult to define and therefore clear risk criteria should be defined.
Whilst organisations recognise the need for specialist data protection skills and the ‘paper shield’ in supporting and evidencing privacy compliance in areas such as rights requests and DPIAs, we are also seeing clients changing their focus to the need for solutions in the technology stack to support compliance. This is on the basis that the state of technology is now such that it can assist with compliance directly at the ‘data level’ and speed up response processes and timeframes e.g. when dealing with large numbers of subject access requests.
Through ‘MyDPO’ PwC offer comprehensive services and support for helping the Data Protection Officer and the Data Protection Office succeed in the GDPR ‘business as usual’ environment, providing assistance in the many day-to-day challenges the environment presents. If you would like to speak to a member of our team about our ‘MyDPO’ services, please email Brian Davidson or Fedelma Good to find out how we can support you.