Since the General Data Protection Regulation (GDPR) was enacted a little over 3 years ago in May 2018, many organizations that collect personal data of individuals in the European Union (EU) have enhanced their data privacy programs to comply with the regulation. However, many of these organizations have either intentionally omitted or unknowingly decided Articles 37-39 of the GDPR are out of scope for their organization. As a refresher, Article 37 requires certain organizations to appoint a Data Protection Officer (DPO), Article 38 ensures appointed DPOs are properly embedded in the organization to address data protection issues, and Article 39 requires certain tasks are performed by the DPO.

Unsurprisingly, organizations tend to elude the appointment of a DPO because of the challenge in both interpreting the requirements and identifying a resource with the privacy expertise to adapt and implement Articles 37-39 of the GDPR. However, organizations that do not have a DPO can be at risk of regulatory investigations, penalties, loss of revenue generating contracts, litigation, and diminished brand reputation or loss of consumer trust. In 2020, the Data Protection Authorities of Spain and Belgium fined organizations for their lack of appointment of a data protection officer totaling fines of 75,000 Euros. [1]

Is a DPO really required? Article 37 of the GDPR requires all organizations processing personal data (regardless if they are controllers or processors) appoint a DPO if one of these three situations apply:

• The processing is carried out by a public authority or body;
• The core activities of the controller or the processor consists of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
• The core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

In general, organizations appoint a DPO because their “core activities” involve regular or systematic monitoring of data subjects on a large scale. However, even if you deem your organization does not fit the criteria, the following are reasons why now is the best time to proactively assign a DPO to your company:

1. Individual Member State Laws - Some individual EU Member States may extend DPO conditions. For instance, Germany has a lower threshold where DPO is required if a minimum of ten employees carry out the automatic processing of personal data on an ongoing basis. If the company has a presence in Germany, it will most likely have to appoint a DPO.
2. Standard Contractual Clauses (SCCs) – With the release of the new SCCs for cross-border data transfers, additional due diligence, transfer assessments and security considerations are required where a DPO can provide the appropriate guidance.
3. ePrivacy Regulation – With the Council of the EU adopting a new version to replace the ePrivacy Directive, additional interpretation and integration of the electronic communications and confidentiality requirements covering not just personal data, but metadata will need to be conducted where a DPO can also provide guidance.

Additionally, other privacy and data protection laws around the world besides the GDPR require organizations to designate a data protection officer to translate data privacy requirements into practical reality. [2]

So now you are considering a DPO, someone in your organization can just take that role, right? Unfortunately, attaching a label on an internal resource such as a local country in-house counsel to be the DPO is not sufficient. There have been identified “conflicts of interests” by data protection authorities referencing Article 38 of the GDPR when organizations have gone this route. Specific to Article 39 of the GDPR, a DPO must:

• Inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions;
• Monitor compliance with GDPR with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• Provide advice, where requested, regarding the data protection impact assessment and monitor its performance pursuant to Article 35 of the GDPR;
• Cooperate with the supervisory authority;
• Act as the contact point for the supervisory authority on issues related to processing, including the prior consultation referred to in Article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter.

In addition, the DPO shall, in the performance of the tasks, have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. Given this role, the DPO can also address and support other privacy requirements you may be unsure about.

So, if you haven’t appointed a DPO yet, now is the time. If you are still unsure of the value and can’t identify a resource with the right expertise, consider employing a third-party (outsourced) DPO. An external DPO should possess comprehensive knowledge of the privacy landscape and operate independently, avoiding any potential conflict of interest between the DPO and your organization’s other business activities.

Regardless if you assign the DPO role internally or to a third party, having a DPO not only addresses key GDPR requirements, but it will provide you the expertise necessary to reduce your organization’s privacy compliance risk.