Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation (GDPR). This is part one of a three-part Alston & Bird series evaluating WP29’s positions, and relates to Data Protection Officer obligations under the GDPR. Part 2 deals with the Right to Data Portability, while Part 3 analyzes guidance on the Lead Supervisory Authority mechanism.
The GDPR mandates that companies appoint a Data Protection Officer (DPO) in certain circumstances. DPOs have been a fixture of German law for decades, but can be a novelty for US-based multinationals, and they have resulted in much of the discussion surrounding the GDPR.
Last Thursday, WP29 released detailed guidance on companies’ obligations under the GDPR’s DPO provisions. WP29 recognizes DPOs as “a key player” in the GDPR’s “new data governance system.” Its guidance on DPOs provides a welcome look at breadth of the obligation to appoint a DPO, as well as a wealth of details on how companies must structure the DPO position. The following presents a summary of WP29’s positions, which will guide GDPR enforcement once the GDPR enters into force on May 25, 2018.
1. Obligation to Appoint a DPO
Under Art. 37 GDPR, companies must appoint a DPO when (1) their “core activities” involve (2) “regular and systematic monitoring” on (3) a “large scale.” WP29 provides useful glosses on all three elements.
• “Core activities:” WP29 defines “core activities” as the “key operations necessary to achieve the [company’s] goals,” but notes these do not include “necessary support activities” that are an “inextricable part” of doing business generally, such as paying employees or conducting IT support. Thus, for hospitals, processing patients’ ePHI is a core activity, while conducting monthly payroll would not be.
• “Regular and systematic monitoring:” Although WP29 notes that this concept “is not defined,” it states that it includes “all forms of tracking and profiling on the internet” – meaning any company with a European-specific (or European-traffic-heavy) consumer-facing website will need to evaluate whether the site employs tracking supporting “core activities” such as marketing goods or services to consumers. Moreover, WP29 lists over 10 further examples of “regular and systematic monitoring,” such as anti-money-laundering applications, loyalty programs, wearables, and Internet-of-Things devices. Besides these activities, WP29 lists factors for “regular and systematic” determinations indicating a broad approach likely to encompass many enterprise processing activities.
• “Large scale:” WP29 notes that any of the following can result in processing being on a “large scale:” (a) the number of individuals affected; (b) the volume of data processed; (c) the duration of the processing; or (d) the geographical extent of processing. Examples of “large scale” processing include internet service providers processing content, or analytics providers providing maps of fast food customers’ geolocation data.
Article 37 GDPR also requires companies to appoint a DPO when their “core activities” consist of “large scale” processing of sensitive data (defined in Art. 9(1) GDPR) or criminal convictions (defined in Art. 10 GDPR). The same glosses as discussed above apply here as well.
Notably – especially if a company elects not to appoint a DPO – WP29 recommends “document[ing] the internal analysis” used to “determine whether or not a DPO is to be appointed.” Failure to appoint a DPO when needed carries fines of € 10 million or 2% of annual turnover – and failure to meet accountability obligations doubles that fine – so companies would be well-advised to have documentation ready to support their decision. Also, companies that elect not to appoint a DPO should revisit – and re-document – the decision at regular intervals as their organization and operations grow.
2. Requirements for the DPO Position
Much of the discussion surrounding DPOs has come from companies who anticipate they will need a DPO, but are unclear on how the DPO position needs to be structured. WP29’s guidance provides a wealth of instructions for companies attempting to create the DPO position within their organization. Among WP29’s more salient requirements for the DPO position are:
Accessibility: DPOs must be “personally” available to the company’s supervisory authority (“SA”), local EU data subjects, and company employees. Moreover, DPOs’ communications with the SA and data subjects must be in the locally-spoken language. It will be important to make sure that same-day responses to SAs are possible, and that DPOs can respond to employees and data subjects quickly enough to avoid complaints. However, DPOs’ names do not need to be made public, and companies can route public and employee contact with the DPO through a hotline or online contact form.
Expertise: WP29 states that the DPO’s expertise should be “commensurate with the sensitivity, complexity and amount of data” a company processes. As a minimum, however, DPOs should possess (a) expertise in national and European data protection laws and practices and (b) an in-depth understanding of the GDPR. Companies appointing internal DPOs, especially non-European companies, should consider providing (and documenting) training in these fields.
Position within the Organization: Both internal employees as well as external firms or contractors can serve as DPOs. WP29 takes a flexible approach to where DPOs should sit within company structure. WP29 states only that the DPO’s “position within the organization” should provide him or her with the “ability to fulfil” the DPO’s statutory tasks. At the same time, WP29 notes that DPOs cannot be under a conflict of interest, such as being in a position where the DPO would “determine the purposes and the means of” any processing. To avoid this, companies should craft policies to screen potential conflicts during the appointment process.
Tasks and Powers: The GDPR defines DPOs’ task as “monitor[ing] compliance,” and WP29 provides detail on what DPOs may do to accomplish this. Specifically, DPOs may (a) collect information to “identify processing activities;” (b) check the compliance of processing activities; and (c) inform, advise, and issue recommendations. The DPO does not have decision-making authority, but these powers are significant. WP29 does not expressly use the word ‘investigate,’ and companies will need to be cautious in granting DPOs the WP29-mandated latitude without creating competing internal compliance instances.
Mandatory Involvement in Processing Issues: WP29 describes it as “crucial” that companies involve DPOs “in all issues relating to data protection” – and do so “from the earliest stage possible.” WP29 goes so far as to describe this as part of “privacy by design approach” that should be “standard procedure.” Specifically, WP29 states that DPOs must be involved (a) whenever “decisions with data protection implications are taken;” (b) whenever a data breach or other security incident occurs; and (c) by being regularly involved to management meetings. This will be a challenge for organizations, but can be accomplished in part through breach-response and (as discussed below) PIA processes. Notably, if management decides not to follow the DPO’s advice on an issue, WP29 recommends documenting the reasons for not doing so. This is to be recommended, since many DPOs (as well as – often unintentionally – company emails) will record the advice they provided.
Independence: While, for example, current German statutes simply state that DPOs are not bound by instructions, the GDPR and WP29 go a step further and state that DPOs “must not be instructed” on how to perform their tasks or on how to “view” a certain privacy issue. Company policies will need to reflect that the DPO is not bound by instructions from superiors in performing her tasks, and the concept that instructions to the DPO are off-limits may need to be socialized in some organizations.
Protected Employment: To help ensure DPOs’ independence, the GDPR provides that DPOs cannot be “dismissed or penalized” for performing their tasks. WP29 confirms that “penalizing” a DPO is a broad concept, encompassing both “direct or indirect” actions that US counsel would recognize as adverse employment action – e.g., delaying promotion or reducing benefits. WP29 also goes a step further, stating that “[i]t is not necessary that these penalties be actually carried out, a mere threat is sufficient” for a GDPR violation. Companies will need to ensure that management and HR properly structure and document any performance-related interaction with DPOs.
Support: The GDPR obligates companies to “support” DPOs “in performing [their] tasks.” WP29 conceives of this as a threefold obligation: DPOs must have sufficient (a) time; (b) continuing training; and (c) internal resources (financial resource, infrastructure, and staff) in order to fulfill their tasks. The more complex and/or sensitive processing operations are, the more resources need to be invested in the DPO. Most multinational companies will require a full-time DPO with CLE and a budget, and potentially with support staff.
Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs): Article 35 GDPR requires companies to conduct DPIAs when new projects pose high potential risks to individual privacy. WP29 strongly recommends having DPOs involved in every aspect of the DPIA – from the decision to conduct the DPIA all the way to determining whether the DPIA has been implemented. Also, Art. 25 GDPR requires companies to adopt a “Privacy by Design” approach generally. Many companies have implemented this as a general PIA process mandatory for all projects that escalates to a GDPR-mandated DPIA when special risks are present. As stated above, WP29 believes that DPO involvement in any matter “with data protection implications” is part of a Privacy by Design approach – which would require DPOs to be involved in general PIAs to an appropriate degree. Companies will need to consider the DPO’s role as an integral part of their PIA/DPIA processes.
DPOs and Recordkeeping: Article 30 GDPR introduces substantial new requirements for companies to maintain current records of all processing activities conducted by their organization. WP29 states that companies may, if they wish, entrust the DPO with the task of “maintaining” their index of processing activities. Regardless of what department in a company owns the processing index, companies should ensure that DPOs have access to it.
Ability to Consult Supervisory Authorities: Article 39(1)(e) expressly permits DPOs to consult SAs on any matter “where appropriate.” At the same time, DPOs are “bound by” confidentiality “concerning the performance of [their] tasks.” WP29 clarifies that DPOs’ confidentiality obligations do not prohibit them from contacting or seeing advice from SAs. Note also that companies cannot penalize DPOs for properly consulting with SAs, although they can set processes in place to preserve sensitive information and applicable privileges.
Personal Liability: WP29 clarifies in multiple passages that DPOs are not “personally responsible” for “case[s] of non-compliance with the GDPR.” Instead, in WP29’s words, “[t]he GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures’” to ensure compliance. While this may help absolve DPOs who recommend action that is not followed, liability issues are likely not settled for DPOs who arguably fail to recognize a risk, or encourage a course of action that results in a fine. National contract and corporate law provide avenues for indemnity, professional-liability, or other damages claims, and WP29’s suggestion that the GDPR should be read to exempt DPOs from these general liability regimes is not binding on courts. External DPOs will need to consider professional insurance, while companies appointing internal DPOs will need to consider funding an E&O policy for the DPO. The potential to avoid additional insurance costs and to recoup fines from a DPO’s insurance would be one incentive for companies to consider an external DPO.
Taken together, these requirements create a substantial amount of work for companies to accomplish by May 2018. Starting early – and especially identifying potential DPO candidates – takes on even more urgency in light of reports that 28,000 DPOs may need to be appointed in response to the GDPR’s appointment requirements. DPO rules have non-trivial enforcement potential, since SAs can quickly check if a particular company has appointed a DPO.
A copy of the WP29’s DPO guidance can be downloaded here. Also, WP29 has issued FAQs on DPO obligations, which can be downloaded here.