When business owner becomes aware that they must abide by the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
The short answer is - maybe.
In the paragraphs that follow, we'll go into more detail regarding data protection officers and help you decide if you actually need one.
You will learn:
What is a data protection officer
Does your business need a DPO
How various laws, including GDPR and CCPA, handle the DPO questions
Do small businesses need a DPO
Who can be a DPO
What is the DPO’s position in an organization, and
What are the DPO’s tasks
What is a Data Protection Officer (DPO)?
The person who manages data protection issues in a company is the data protection officer.
The DPO is not just a random employee - it is a person that has been designated to do the tasks that a DPO needs to do.
DPO is different from a legal representative in a country. Some data protection laws, such as GDPR and CCPA, require some foreign businesses to appoint legal representatives in the EU or Thailand to serve as contact points with the national authorities or data subjects.
The DPO and the legal representative may or may not be the same person. It is important to note that the two have different competencies and do different jobs.
Do I need a DPO?
Some companies need to appoint a DPO, but not all.
You may or may not need to appoint one. That depends on two things:
Whether the applicable law requires you to appoint one
Whether you meet the legal thresholds and requirements that trigger the duty to appoint a DPO.
This means that you need to determine what data protection laws are applicable to you, and then determine whether these laws require you to designate a DPO.
We will explain the legal requirements through five laws: the GDPR of the EU, the CCPA of California (US), the LGPD of Brazil, Canada PIPEDA, Thailand PDPA, South Africa POPIA, and UAE PDPL.
Each of these laws applies to your business if either you or your users are from the country, state, or region where the law applies.
So, if you are a Canadian business with customers from the EU and the US, the PIPEDA and GDPR apply to you. The CCPA applies as well if you meet the applicability thresholds.
Once you know what laws apply to you, it is time to determine whether these laws require you to appoint a DPO.
No two laws are the same, but oftentimes their provisions overlap. The DPO provisions of several laws worldwide are such an example.
DPOs were introduced to the world by the GDPR, and in the nations that adopted the EU's model, DPOs were also introduced.
EU GDPR
For most companies, a DPO is not mandatory under the GDPR. Only the companies that meet the following criteria must designate a DPO:
Where the processing is carried out by public authorities (excluding courts in their judicial capacity). This includes only public authorities.
Where the core activities of an organization involving processing require regular and systematic large-scale monitoring of persons. This includes advertising companies that process users’ behavior like Google and Facebook. Companies that regularly process geolocation, such as Strava, also fall under the scope of this requirement. Website analytics companies, no matter how big or small may also meet this requirement.
Where the core activities of an organization consist of large-scale processing of special categories of data or data related to criminal convictions and offenses. This includes hospitals that process the vast amount of patients’ health data or banks that process customers’ financial data.
You can only appoint a DPO if you satisfy these conditions. Having a DPO is recommended but not required in any other situations.
Data Protection Laws of the US States
The CCPA does not require a DPO in any company.
It requires companies to have a person designated for responding to consumer requests, but that’s different from having a DPO.
Utah, Virginia, Connecticut, and Colorado have all passed data protection laws, but none of them mentions a DPO.
Brazil LGPD
When it was first introduced, the Brazil LGPD required all businesses to appoint a DPO. However, it has been changed with a Resolution by ANPD, which excluded micro-enterprises, startups, small businesses, and non-profits from the obligation to designate a DPO. All they need is to have channels for receiving data subject requests.
However, large enterprises still need to designate a DPO.
Canada PIPEDA
PIPEDA relies on ten principles. The first one of them - accountability, requires businesses to appoint a person responsible to ensure PIPEDA compliance.
The law doesn’t go further in requirements, but it makes clear to companies that meeting the accountability principle means having someone take care of data protection seriously.
Thailand PDPA
The Thai PDPA explicitly requires the appointment of a DPO for:
Government bodies
Companies with activities that require regular monitoring of large amounts of personal data
Companies with core activities include the collection, use, or disclosure of sensitive personal data.
This law is similar in requirements to the GDPR. It also emphasizes the necessity for the independence of the DPO.
South Africa POPIA
The POPIA of South Africa requires businesses to appoint an information officer, whose role is very similar to that of the DPO according to other laws. It does not differentiate between companies as it requires them all to have appointed a person to take care of data protection.
UAE PDPL
According to the PDPL, a DPO must be chosen whenever processing sensitive personal data poses a significant risk to the data subject's privacy as a result of implementing new technologies, involves a systematic and thorough evaluation of sensitive personal data, including automated processing and profiling, or involves processing sizable amounts of sensitive personal data.
Similar to the GDPR, the PDPL mandates that businesses employ a DPO with the necessary expertise in data protection to oversee compliance. The DPO may be a firm employee or a third party, based inside or outside of the UAE.
As a result, organizations that have DPOs for GDPR reasons may employ the same person to carry out a comparable function in respect to the UAE, providing that person has received training and support regarding UAE standards. The PDPL further specifies that resources must be made available to the DPO to ensure that they can fulfill their duties.
Are small businesses required to appoint a DPO?
In general, the legal requirements do not discriminate against business size. All businesses that meet the requirements for appointing a DPO need to do so.
In its guidelines on DPOs, the European Data Protection Board also suggests appointing a DPO on a voluntary basis as a good business practice.
Who can be a DPO?
Businesses usually have two types of questions about who can be a DPO:
Does the DPO have to be an employee of the organization? No, is the response. You can choose an inside DPO to fill the position, or you can recruit an outsider. In reality, a lot of organizations provide DPO-as-a-Service. Who can serve as your DPO is not restricted by data protection legislation.
What are the qualifications requirements for the DPO? Laws do not burden data controllers with requirements regarding the qualifications of DPOs, but controllers are expected to appoint a person who understands the data protection requirements.
Some of the expected qualifications could include:
Understanding of data processing operations in the company
Understanding of data protection laws
Understanding of IT and data security
Ability to promote data protection in the organization.
This is not an exhaustive list. It will be sufficient for some organizations, but not for all. If your company processes personal data on a large scale, it is wise to hire an expert to oversee your processing activities. Such data processing activities involve many risks that should not be left to chance.
What is the position of the DPO?
The Data Protection Officer must be independent in their work. There must be no conflict of interest.
In practice, this means that:
The DPO cannot be instructed by anybody inside the company on how to perform their duties.
The DPO cannot decide how to treat data (they can advise, but not make decisions, which excludes the marketing manager from doing DPO work)
TThe DPO cannot be penalized in any manner for carrying out their responsibilities.
Only compliance is monitored by the data protection officer. They only offer guidance to decision-makers on how to abide by the relevant legislation but they do not make choices.
For example, the marketing manager makes decisions on what third-party tools to use for marketing automation or for advertising. The role of the DPO is to oversee this process and to advise them on whether the chosen tools (data processors) are compliant with the law, whether they collect only the minimum amount of data, and on other data protection issues.
They may also recommend compliant tools.
However, the DPO cannot make any decisions. That is why the marketing manager must not be appointed as DPO - there would be a conflict of interest between doing their best in the marketing department and doing their best as a DPO. Sometimes the two are not aligned, so there are some possible conflicts of interest along the way.
What does the DPO need to do?
Having in mind the position of the DPO, their tasks include:
Identifying processing activities
Analyzing the activities
Checking compliance with the processing
Informing, advising, and issuing recommendations to the data controller.
This is rarely a full-time job, but it is very important.
The DPO’s job is to oversee every bit of data processing and ensure that it complies with whatever law applies to such processing. That involves monitoring personal data from the moment it is collected to the moment it is erased.
Conclusion
Appointing a DPO sometimes is a must. In all other situations, it is still a good practice.
Data protection laws, in general, do not burden all companies with DPO requirements.
However, it doesn’t mean that you can take data protection lightly.
You still need to meet all the legal requirements for compliance. In many cases, having a person dedicated to protecting your users’ data will make things run smoothly.
Thanks for reading..