Data Protection Officers Should Know Companies, Irish Regulator Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Ireland’s recent guidance on how companies should select a data protection officer to comply with the EU’s new privacy regime correctly highlights the company-specific nature of the exercise, privacy professionals told Bloomberg BNA.

Companies doing business in the European Union have less than a year to comply with its General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The GDPR requires, among many other things, that certain companies have a designated DPO if their “core activities” involve processing that requires “regular and systematic monitoring of data subjects on a large scale,” or large-scale processing of special data categories that reveal biometric, racial, religious, or political characteristics.

Privacy professionals welcomed the emphasis in the guidance issued by the Office of the Irish Data Protection Commissioner on the need to appoint a DPO with specific knowledge of a company’s data processing operations.

The guidance is significant because many U.S.-based multinationals make their EU home in Ireland, including tech giants Apple Inc., Facebook Inc., Microsoft Inc., and Alphabet Inc.'s Google. Ireland’s privacy office is the primary EU privacy regulator for those companies, and plays an outsized role in the bloc as a privacy policy maker and enforcer.

Robin B. Campbell, Washington-based partner at Squire Patton Boggs LLP and the co-leader of the firm’s data privacy and cybersecurity group, told Bloomberg BNA that although Ireland’s guidance doesn’t give many specifics, it “reinforces the fact that designating a DPO is very fact-specific.”

Emerald de Leeuw, CEO of EuroComply Data Protection Technology in Dublin, told Bloomberg BNA that the Irish regulator makes it clear that a DPO must understand the company’s data processing activities as well as the categories of data that are being processed.

Companies are still trying to figure out exactly what kind of data processing they conduct and “many companies are still very confused as regards to whether they need a DPO,” de Leeuw said.

Knowledge of Industry, Organization

Francoise Gilbert, a shareholder focusing on global data privacy and security at Greenberg Traurig LLP in East Palo Alto, Calif., said that “there is little experience about DPOs throughout the world,” because only few countries included the concept in their data protection laws before the GDPR was adopted.

The “collective experience” of these countries suggests that DPO applicants may be required to pass a specific exam or have minimum number of years of “demonstrable experience in the privacy and security field,” Gilbert told Bloomberg BNA.

John Bowman, senior principal in Promontory Financial Group LLC’s global privacy and data protection practice in London, told Bloomberg BNA that the Irish data protection commissioner “has recognized that a high level of expertise and knowledge is required to fulfill a data protection officer’s duties under the GDPR.”

But others said passing exams and having expertise isn’t everything when it comes to being an effective DPO.

Gabe Maldoff, privacy and data protection associate at Bird & Bird LLP in London, told Bloomberg BNA Aug. 16 that Ireland’s guidance “in part mirrors” what the Article 29 Working Party, which is made up of privacy regulators from the 28 EU countries, said in its guidance on DPOs. The Art. 29 Party said that “a DPO’s level of qualifications should be commensurate to the way an organization uses data.”

“Where the Irish guidance goes further, and where ultimately it is helpful, is in suggesting that a DPO’s qualifications include an ‘understanding of the processing operations,’ ‘knowledge of the business sector and the organization,’ and an ‘ability to promote a data protection culture within the organization,’"Maldoff said.

It isn’t just privacy credentials that count, but also deep knowledge of the industry and organization, Maldoff said.

Gilbert said that if a company determines it isn’t required to appoint a DPO to comply with the GDPR but elects to appoint someone to carry out similar duties “they should consider giving that person a title other than DPO, so that they don’t inadvertently vest that person with rights or protection that he would not otherwise have.”

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the guidance is available at http://src.bna.com/rI6.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security