With the upcoming first anniversary of GDPR in May this year, many businesses will be looking back on the past year with a mixture of relief coupled with some ongoing anxiety that the worst is yet to come. So far, with one high profile exception, the volume of fines has been relatively low - as have the relative penalties. But with the French authorities willing to set a fine of $50 million euro this could set a precedent, especially for large multinationals.
Furthermore, of those other organizations that have received fines for infringement, the offences that have gained public attention have been highly varied; from an incident of too-relaxed access to patient data at a Portuguese hospital to a case, to where an Austrian business was fined for its CCTV capturing pedestrians on an adjacent street. These cases demonstrate the significant scope of GDPR and how many different challenges businesses need to be prepared for beyond a conventional data breach incident.
So, how can businesses continue to prepare for these seemingly myriad circumstances? One of the key aspects is having a dedicated Data Protection Officer (DPO) within the organization, who is tasked with really getting to grips with the requirements of the GDPR. DPOs are responsible for, amongst other things: ensuring and monitoring an organization's compliance, informing and advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority.
A DPO needs to be appointed and installed if the core activities of a business consists of data processing operations require regular and systematic monitoring of data subjects on a large scale; or when the organization's core activities consist of large-scale processing of so called “special categories” of data - which contains sensitive personal data such as data about health, political views, trade union memberships etc. It is important, however, to recognize that national laws might impose additional requirements on the appointment of a DPO. For example, in Germany there are stricter rules for appointing a DPO.
Therefore, two crucial questions businesses face are to assess whether they need to appoint a DPO, and if so, who they should give that responsibility to. In practice, most medium to large businesses will need to appoint a DPO if they are to meet the requirements of the GDPR. To do so, there are two different options: Appointing a particular existing employee internally or outsource the role of the DPO to a suitable provider.
It is important, however, to avoid conflicts of interest in the role of the DPO. The UK Information Commissioner's Office's (ICO) guidance, for example, advises that `most senior positions within an organization are likely to cause a conflict.' This excludes, but is not limited to, many board level positions including CEO, CFO and head of IT. Further, candidates are required to have a certain level of expertise, including professional experience and knowledge of data protection law.
To date, internal candidates have proved to be the most popular option. This is no surprise as it keeps the process simple and, in many cases, the appointee will have a good understanding of the complexities that the respective business faces when it comes to data processing and storage. It is therefore essential, that the respective candidate has a good level of expertise of the legal and technical undertakings required to build, implement and manage data protection programs. The more complex or high-risk the data processing activities of an organisation is, the greater the expertise the DPO will need to be.
While DPOs do not have to be qualified lawyers, senior legal counsel remain a very popular choice for appointees as they tend to have the experience that is needed to fulfill the obligations of a DPO. Even though they might be an excellent fit, problems often arise when the workload of a DPO is underestimated and the full workload of a DPO role is imposed on an already busy counsel.
For a medium to large organization, that receive significant amounts data from its customers or clients that are being processed in various ways, it's very easy for the role of the DPO to take up the majority of an appointee's time or, conversely, for a DPO to have insufficient bandwidth to properly address the latent issues and to implement and ensure compliance.
It's easy to see how this can be a very serious and time consuming role and not one that many already busy employees would relish - even more serious, that the aspect in and of itself of not granting to the DPO the necessary time resources, could be cause for a fine. Therefore, it is important that the DPO has the capacity to perform the tasks properly. Depending on the size of the company, it may also be necessary for the DPO to be assisted by a team of employees in his or her duties.
Another solution that is proving to be increasingly popular is the outsourcing of the DPO function, with the role contracted to an individual or organization. This ensures a clear separation of roles that prevents a conflict of interest arising between the DPO's primary tasks and other functions that are tasked with delivering, as well as ensuring a clarity of focus.
An external party could also be in a better position to take a step back and assess the vulnerabilities of an organization objectively, with fewer concerns that they will ignore long-standing, but non-compliant practices out of either habit or fear of offending others. They will, in many instances, be able to bring a broader experience from multiple sectors and different issues. Outsourcing also transfers the personal risk a DPO takes on from a company employee to an external advisor, perhaps better equipped for this responsibility.
In conclusion, GDPR still is the cause of many sleepless nights for organizations across the EU and beyond. The precedence set over the first year has shown, that regulators are keeping watch and the even apparently minor infringements can and will be subject to considerable fines. And perhaps more damaging than the financial penalty is the reputational impact, as, for example, the impact of a data breach can lead to significant loss of trust amongst clients and customers, and as a resultant impact on share price.
Putting in place an effective privacy governance, including a DPO, is one of the best ways to address these concerns and ensure ongoing compliance. However, it is important businesses realize the scale and scope of such a role if it is going to be fulfilled properly. Whether appointed internally or outsourced as an external service, the top priority has to be to ensure the DPO has the capacity, support and time to do justice to the role and ensure that compliance does not only tick boxes but is an integral part of a working compliance management system.
KPMG Law in Australia
Head Legal Transformation & Technology Law
KPMG in Switzerland
Nikola A. F. Werry, LL.M. (UK)
Manager, Compliance, Governance and Organisation
KPMG Law Rechtsanwaltsgesellschaft mbH
Previously published on compliancemonitor.com, June 4, 2019.