As businesses are being impacted by the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR), many are asking themselves questions around the ownership of their privacy program. Do I need a Data Protection Officer (DPO)? Can I get by assigning this to my CISO, Director of Compliance, or my General Council?
The GDPR requirements for a DPO, their duties and reporting structure, are spelled out in Section 4 of the regulation, which encompasses Articles 37-39.
According to Article 37, you must assign a DPO if:
- You are a public authority processor
- You regularly and systematically monitor data subjects on a large scale
- You are processing on a large scale any special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10
This article goes on to state that public authorities are able to designate a single resource that can aggregate the responsibility across multiple organizations. This decision needs to take into account the bandwidth of the DPO and how scalable the policies and processes are across the organizations.
It is also important to note that the DPO can be an employee of the organization or a contracted resource. In either case, the controller must publish the contact details of the DPO and ensure the EU supervisory authorities have this information.
While there are parts of the GDPR that are considered unclear or grey, the requirements for a DPO are very clear. The DPO role is new for many U.S. based companies, but it should bring a strong sense of certainty around privacy to any company where EU citizen/resident data needs to be managed.
If you have questions about whether or not you need a DPO, please contact us at: http://www.americancsm.com/services/privacy-by-design/
*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.