I was reading an interesting article on the JD Supra website over the weekend and I thought it was one of the best pieces I have seen on clarifying who needs a data protection officer and what the DPO’s duties are.

The article starts out by saying:

The EU’s new General Data Protection Regulation (“GDPR”) adopts the German concept that a data-heavy company must appoint a data protection officer. In addition, the GDPR purports to apply the requirement to data-heavy United States companies that process personal information and (1) intend to offer products or services to people in the EU, or (2) monitors people in the EU.1 Specifically the GDPR requires:

  • All companies that process data as a “core activity” and that engage in “regulator and systematic monitoring of data subjects on a large scale” must appoint a Data Protection Officer.2
  • All companies that process certain types of sensitive data (g., race, ethnicity, political opinion, religious beliefs, union membership, biometric data, health information, etc.) as a “core activity” and on a “large scale” must appoint a Data Protection Officer.3
  • Other companies (e., that don’t monitor individuals on a large scale and/or process sensitive information on a large scale) may be required by individual Member States (e.g., Germany and others) to appoint Data Protection Officers.4
  • The Officer that is appointed must have “expert knowledge of data protection law and practices.”5 The level of expert knowledge should be proportionate to the company’s “data processing operations carried out and the protection required for the personal data processed.”6
  • The Officer can either be an employee, or work for a third party (g., a law firm), but must be independent.7 If they are an employee, independence may inhibit a company’s ability to terminate their employment.8
  • The Officer must be given company resources to carry out their responsibilities and to obtain ongoing training to maintain their expert knowledge, access to the company’s data processing personnel, and significant independence in the performance of his or her duties.9


It goes on to mention the duties of a DPO:

The following summarizes some of the duties of the data protection officers required by the GDPR:

  1. Report to C-Suite. The Officer must directly report to the “highest management level” of the company.15
  2. Consult on All Privacy Issues. The officer must be “involved in all issues which relate to the protection of personal data.”16
  3. Inform Company of Legal Obligations. The officer must “inform and advise” the company of their obligations under the GDPR and member state data privacy laws.17
  4. Monitor Company Compliance with Law. The Officer must “monitor” the company’s compliance with (1) the GDPR, (2) member state data privacy laws, and (3) the company’s own data related policies.18
  5. Monitor Company Privacy and Security Training. The Officer must monitor the company’s efforts to conduct data privacy and security related training of employees.19
  6. Monitor Company Privacy and Security Audits. The Officer must monitor the company’s efforts to conduct data privacy and security related audits.20
  7. Respond to Questions From Consumers / Employees. The Officer must be available to data subjects who raise questions or concerns regarding the processing of their data by the company, such as issues related to data security, withdrawal of consent, right to be forgotten, data portability, and cross-border data transfers.21
  8. Publicly Identified. The officer’s contact information must be made available to member state supervisory authorities.22
  9. Deal with Regulators. The Officer must act as a point of contact (if needed) with government agencies on issues relating to data.23
  10. Conduct Privacy Impact Assessments. The Officer must assist the company, if needed, in conducting data protection impact assessments.

In all I thought this was a useful piece that helps to clarify the duties and definition of who needs to consider employing a DPO. Though the information from the Information Commissioner’s Office is still quite vague on quite what large is when discussing processing on a large scale. I will endeavour to update you when I can find out.

To read the full article please follow this link: http://www.jdsupra.com/legalnews/data-protection-officers-a-comparison-27658/