The Rise of the Data Protection Officer

On May 25, 2018, the much-publicized European Union General Data Protection Regulation (GDPR) came into force, marking the biggest change in data protection legislation in Europe for over 20 years. Many will be aware of the GDPR's application to businesses established in the EU. What is less well understood is that, in some circumstances, the GDPR can also apply to businesses located outside the EU. This is referred to as the extraterritorial effect of the GDPR, and effectively extends the scope of EU privacy law to businesses located outside the union that:

For daily updates, subscribe to our newsletter by clicking here.

 

• offer goods or services to individuals who are in EU

• monitor the behavior of individuals whilst they are in EU

Organizations that find themselves handling personal data under the extra territorial rules must fully comply with the GDPR in relation to the collection and use of this data. They must also appoint a representative in the EU who can act as a local point of contact for individuals (who may wish to exercise their privacy rights under the GDPR) and for data protection authorities (in case they may want to take any enforcement action).

Alongside the requirement to appoint a representative within the EU, organizations may find that they need to appoint a Data Protection Officer (DPO). The DPO is intended to act as an independent function within the organization, to help guide and assure compliance to the GDPR.

The requirement to appoint a DPO comes into play if an organization's core activities involve:

• processing particular types of data known as special category data (e.g., data relating to health, race, religion, etc.), or criminal conviction data on a large scale

• undertaking large scale, regular, and systematic monitoring of individuals

Israeli businesses that find themselves subject to the GDPR under the extraterritorial principles, and those whose core activities involve processing data of the types referred to above, will be required to appoint a DPO. Unlike the EU representative, the DPO is not legally required to be located within the EU and so may be based in Israel. What is most important is that the person appointed to the role has the requisite expert knowledge regarding data protection laws and practices.

When appointing a DPO, be aware of the core statutory responsibilities that the DPO role carries as set out in the GDPR:

• to inform and advise the organisation and the employees processing the personal data of their obligations under GDPR and other EU and member state data protection provisions;

• to advice on data protection impact assessments and monitor their performance;

• to monitor compliance with GDPR, with other EU and member state data protection provisions, and with the policies of the organization in relation to the protection of personal data, including the assignment of responsibilities, training of staff involved and the related audits;

• to cooperate with data protection supervisory authorities;

• to act as the contact point for the supervisory authorities on issues relating to processing and consult with them, where appropriate, with regard to any other matter

As the DPO role is a relatively new one and the GDPR is something that affects almost all organizations located in or trading with Europe, it is not surprising to see a material increase in demand for data privacy professionals to take on DPO roles. One study carried out by the nonprofit International Association of Privacy Professionals estimated that around 75,000 DPOs will be required worldwide to cater for the demand. Many organizations have struggled to find suitable candidates for the role due to the scarcity in the market of suitably experienced and knowledgeable applicants, so many are opting to either train existing employees or outsource the role to third-party providers (although this market is relatively immature). Whichever option an organization chooses, it should ensure that the individual/third party provider appointed:

• has expert knowledge of the GDPR and member state data protection laws and practices;

• has knowledge of the business sector and the organization itself;

• can fulfill the role with the required degree of independence from the organization and without conflict with any other role performed;

• is bound by appropriate secrecy/confidentiality obligations

Further information on the GDPR requirements relating to DPOs can be found in the European Data Protection Board's Guidelines on Data Protection Officers, available here.

Andrew Dyson is a partner at the DLA Piper Intellectual Property and Technology group, where he co-chairs the UK Data Protection, Privacy and Security practice. Robyn Palmer is a legal director in DLA Piper's UK Data Protection, Privacy and Security practice.