Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
Companies doing business with the European Union have less than a year to comply with a new privacy regime, and one requirement in particular—that businesses have a designated “data protection officer"—is trickier than it sounds.
Finding qualified DPOs poses a significant challenge for companies. The International Association of Privacy Professionals estimated that companies will need to hire 28,000 DPOs in Europe and the U.S., and 75,000 total worldwide, to meet their DPO compliance obligation. The process is even more stressful for companies trying to meet the EU’s General Data Protection Regulation (GDPR) deadline because, official guidance on which DPO requirements will satisfy EU officials and country privacy regulators has been limited.
Companies should hire data protection officers who have a savvy business sense and good management and communication skills—not just legal know-how, privacy professionals told Bloomberg BNA.
Businesses are scrambling to meet the May 25, 2018 effective date for the GDPR, which mandates that they hire a DPO if their “core activities” involve processing that requires “regular and systematic monitoring of data subjects on a large scale,” or large-scale processing of special data categories that reveal biometric, racial, religious, or political characteristics. The requirements aren’t confined to EU companies but cover any company with business operations in the bloc or that focus on EU customers.
The GDPR will bring stricter standards for user consent to the use of their personal data, mandatory data breach notification, and fines as high as $20 million euros ($22.4 million) or 4 percent of a company’s annual worldwide income. Given the high stakes, appointing DPOs that are acceptable to privacy regulators and able to successfully navigate complex compliance waters is imperative, they said.
Companies will need to hire DPOs to act as business leaders, Bojana Bellamy, president of the Centre for Information Policy Leadership in London, told Bloomberg BNA. DPOs should play an integral role in business decisions and have a seat at the table with C-suite-level executives, she said.
The GDPR requires the DPO to “directly report to the highest management level of the controller or the processor.”
Monika Kuschewsky, privacy partner at Squire Patton Boggs LLP in Brussels, told Bloomberg BNA that what the GDPR text means with regard to requiring DPOs to have access to the “highest management level” in a company isn’t clear.
Bellamy said that regardless of any ambiguity, it is clear that the DPO should have “more authority, more seniority, and more impact” than it does today, especially in many European companies where the DPO is often a mid- or junior-level role, she said.
This means the DPO must report to “the CEO or chief operating officer who controls the collection and use of personal data or processes the data at a controller’s direction,” Winston Maxwell, privacy partner at Hogan Lovells LLP in Paris, told Bloomberg BNA. That isn’t the case in most organizations today, where DPOs usually report to a chief compliance officer or general counsel, he said.
In very high levels of the company, “business skills are critical” to be a successful DPO, Bellamy said.
Detlev Gabel, privacy partner at White & Case LLP in Frankfurt, told Bloomberg BNA that companies should regard DPOs as a metaphorical profit center, not a cost, because data protection compliance can pay dividends.
Maxwell, a co-creator of a joint education program that Hogan Lovells and the Paris Law School Pantheon-Assas, which was launched to certify individuals to be DPOs in the GDPR compliance scheme, said that management skills training is important because many existing DPOs “come from the legal department and are relatively junior.”
DPOs coming from the legal field who aren’t well versed in business can quickly marginalize themselves, Maxwell said. Lawyers tend to focus too much on the personal data risks that proposed actions may create, rather than considering a larger picture and giving management options to move forward, he said. Instead, DPOs need to be “a valuable discussion partner when the business is considering different solutions, none of which are likely to be perfect.”
Bellamy said that rather than focusing only on the problems of any project, the DPO must be a solution-maker, always thinking about how to achieve goals while protecting people’s information. If they are “nay-sayers” they will lose trust in the company and be marginalized.
Gabel said that to be successful on the business side, a DPO needs to be a facilitator and a communicator because they need to be able to bring everyone in the business on board to focus on privacy and data security.
Bellamy said a 2016 Centre for Information Policy Leadership report on the skills important for a DPO to be effective focuses on those communication and external engagement skills. An effective DPO under the GDPR scheme will need to be a business leader in working both inside the company and as the company’s high level representative with external stakeholders, such as public interest groups and other companies, as well as being the company’s primary voice in relations with privacy enforcement authorities.
The GDPR provides general information on the qualifications that a DPO should have but doesn’t lay out credentials in any detail. In three articles, it explains which organizations need to hire a DPO and describes the position and the tasks the DPO will perform.
The GDPR only provides that a DPO must “be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability” to perform tasks required by the GDPR.
The Article 29 Working Party, which is made up of privacy regulators from the 28 EU countries, has issued guidance on DPOs that attempts to add details to the GDPR’s ambiguous and vague provisions.
The guidance said that the required level of expertise “must be commensurate with the sensitivity, complexity and amount of data an organisation processes.” DPOs also “must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR,” in addition to understanding a company’s particular business sector, information system, and data protection needs, according to the WP29 guidance.
Gabel said that DPOs need to understand a respective business’s processes, have insight into what the company is doing with data, and know where to look for potential privacy skeletons in the closet.
The regulators’ guidance is very detailed, Gabel said, and has a relatively low threshold for hiring DPOs. “The GDPR itself could leave the impression that the threshold for hiring DPOs is higher that WP29 suggests,” he said. However, the GDPR gives countries leeway to adopt stricter requirements than those set out in the law.
To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)