As the deadline for GDPR approached, a new job function emerged across Europe – the Data Protection Officer. This was a response to the need for compliance with the new regulation, and many organizations appointed individuals to fill this role.
Since then, much has changed. Organizations have had the chance to work with data protection in a more structured manner, learning what works and what can be improved. At the same time, the demand for advanced data processing has grown significantly, with technologies like artificial intelligence, machine learning, and facial recognition becoming more commonplace in a variety of settings and for various purposes. Prior to GDPR becoming enforceable, only a handful of organizations were involved in these activities, but they have now become more widespread.
As organisations have matured and gained a deeper understanding of the privacy function, they have begun to ask themselves important questions. These include:
What kind of data protection setup is ideal for our organisation? Should we appoint a Chief Privacy Officer, a Data Protection Officer, or both?
This article will explore the advantages of both the Chief Privacy Officer and the Data Protection Officer roles. Additionally, I will discuss some of the challenges associated with each position and why they have led both officers and organizations to question which setup is ideal for them. Finally, I will share my opinions on the optimal organizational structure for different types of organisations.
Data Protection Officer (DPO)
To appoint a Data Protection Officer, organizations must comply with the guidelines outlined in GDPR articles 37-39. This includes adhering to reporting lines, ensuring no conflicts of interest, verifying qualifications, promoting involvement, conducting monitoring, and providing reporting. It’s important to note that not all organizations are required to appoint a DPO, but only those that process data falling under the scope of art 37(1) a-c.
EDPB guideline wp243 emphasizes the importance of the Data Protection Officer being extensively and directly involved in the organization’s processing activities. In case 18/2020, the Belgian APD/GBA ruled that once appointed, the DPO must be properly and promptly involved in all matters related to personal data protection. For instance, reducing the DPO’s involvement in a personal data breach to a mere notification after the incident would violate GDPR and erode the function’s effectiveness. Additionally, case 41FR/2021 by the Luxembourgian CNPD found that the organization breached art 38(1) by only involving the DPO on an ad hoc basis in a few internal meetings and committees dealing with personal data processing. Instead, there should be a defined rule or meeting frequency outlining the DPO’s involvement.
It’s crucial to remember that the primary responsibility of the Data Protection Officer is to serve as a representative for the data subjects whose personal information an organization processes. However, it’s important to note that the DPO is not authorized to determine the purposes or methods of processing personal data, as outlined in decision 07121-1/2021/577 by the Slovenian DPA.
Chief Privacy Officer (CPO)
The primary difference between the DPO and the CPO role is the possibility to represent the organization’s data processing interests and participate actively in developing solutions for the data processing needs of the organization. In practice, this will mean that the CPO will have the possibility to engage with internal stakeholders on the design of the solution, be the data protection expert “of the organization”, and thereby take an active role in providing arguments and proposals for how the organization can justify and explain data processing activities.
The CPO role may not necessarily be labelled CPO. Some organizations may use different designations, such as Data Protection Lead, Privacy Counsel etc. What the different job titles have in common is that they refer to a role organized in the 1st line of defense of the organization and are directly involved in the handling and solutioning of data protection matters.
Limitations on the DPO’s involvement
It’s important to note that the DPO cannot serve as an advocate for the organization’s right to process data, especially in more challenging or marginal types of data processing. The organization must adhere to the GDPR requirements and acknowledge the limitations of the DPO’s role.
Consequently, the organization cannot request the DPO to propose or approve data processing practices. The responsibility for making decisions regarding data processing remains with the organization, and the DPO cannot participate in the decision-making process for accepting and initiating specific processing activities. However, this should not be interpreted as a universal limitation on the DPO’s ability to actively participate in evaluating and providing guidance on specific processing activities. Such involvement is critical for a robust privacy management program and overall compliance of the organization.
Therefore, there are constraints that must be respected concerning the tasks that the organization can anticipate the DPO will execute on its behalf.
Determining the optimal data protection structure
Whether your organization needs a DPO, a CPO or both depends on 1) the size of your organization, and 2) the nature of your processing activities.
GDPR immediately provides guidance on when a DPO shall be appointed, i.e. where the processing activities are a) carried out by a public authority, b) require regular and systematic monitoring of data subjects on a large scale, or c) consist of processing on a large scale of special categories of data.
However, for a number of smaller organizations subject to these requirements, it may be difficult to appoint a full-time DPO. In addition, and in particular for smaller organizations involved in more advanced data processing activities, there will often be a separate demand for more operational data protection support, e.g., negotiation of data processing agreements, data protection guidance on development of new services etc.
Similarly, B2B organizations that produce non-digital products, may only process personal data related to their employees and a few business relations to a limited extent. Just like these types of organizations are not required to appoint a DPO, it would also make little operational sense to allocate a full-time resource to data protection matters.
The appropriate data protection structure for your organization depends on two factors: 1) the size of your organization, and 2) the nature of your data processing activities.
The GDPR provides guidance on when a DPO must be appointed, such as when processing activities are conducted by a public authority, involve large-scale systematic monitoring of data subjects, or entail large-scale processing of special categories of data.
However, smaller organizations subject to these requirements may struggle to allocate a full-time DPO. Moreover, smaller organizations engaged in more complex data processing activities may require operational data protection support for negotiating data processing agreements and providing guidance on new service development.
Likewise, B2B organizations that produce non-digital products may only process limited personal data related to their employees and business relations, and therefore do not require a DPO. It would also be impractical for these organizations to dedicate a full-time resource to data protection matters.
Conversely, larger, more complex organizations, including B2B organizations that have surpassed a certain employee threshold, may require one or more full-time data protection resources to manage their organizational complexity and employee-related data processing activities.
The critical question, therefore, is when and whom the organization should appoint to support its data protection functions.
Determining when to appoint a data protection point of contact
Organizations with less than 250 employees
For organizations with fewer than 250 employees, unless they engage in advanced data processing activities, there may not be a need for a designated data protection resource. Naming someone in the organization without the necessary knowledge or interest in data protection as the “data protection champion” would not be effective. Such organizations should seek ad hoc external advice for occasional data protection questions. However, if the organization is involved in advanced data processing activities, a part-time external DPO may be appointed while the internal legal team provides support for daily operational data protection matters
Organizations with 250 to 999 employees
Organizations with 250 to 999 employees, engaged in standard data processing activities, will require internal data protection expertise to guide and support them in various matters. The extent of the work may not require a full-time position. Hence, the data protection support is best provided by a resource located in the legal team with some upskilling or specialization in data protection. However, if the organization is involved in advanced data processing activities, a full-time data protection resource may be needed. In this case, the organization may appoint a CPO and rely on an internal or external part-time DPO.
Organizations with 1000 to 4999 employees
For larger organizations with 1000 to 4999 employees and more complex organizational structures and business processes, it will be necessary to have a dedicated data protection resource. Even for larger organizations with limited data processing needs, the mandatory maintenance of the RoPA and the recurring need for entering into DPAs with external parties for various business needs require expert knowledge of data protection requirements. A full-time CPO can assist the organization in day-to-day data protection matters. For larger organizations involved in advanced data processing activities, it may be relevant to appoint both a full-time CPO and a full-time DPO. The CPO should always be an internal resource that can work closely with various business functions of the organization.
Organizations with more than 5000 employees
Massive organizations process data extensively due to their sheer size and number of employees. All trends and developments indicate that even less data-dependent organizations and industries will have to adopt new and more advanced data processing capabilities to meet business and customer demands in the future. Therefore, a full-time dedicated resource is necessary to internally drive awareness of and compliance with data protection requirements. The CPO should be responsible for developing a strong data protection foundation, while the DPO plays a critical role in ensuring the effectiveness of business processes and providing guidance and advice on how to mitigate the risks for data subjects that the processing activities of the organization may entail.
The organizational placement of the Data Protection Officer (DPO) and Chief Privacy Officer (CPO)
The placement of the Data Protection Officer (DPO) and Chief Privacy Officer (CPO) within an organization is a topic that is often discussed. The GDPR and decisions by Supervisory Authorities have placed restrictions on the placement of the DPO. In the case of 41FR/2021 by the Luxembourgian CNPD, the existence of several hierarchical intermediaries between the DPO and the highest level of management of the company was found to be in breach of art. 38(3), as it limited the DPO’s autonomy and independence.
Smaller and most medium-sized organizations may find it challenging to establish an independent DPO role that reports directly to the executive management. Larger organizations may establish other similar functions that report directly to either the executive management or board of directors. Alternatively, the DPO can be placed within several organizational functions, such as Legal, Compliance, or Security, as long as there is a clear mandate that establishes the DPO’s rights and independence and the DPO is not involved in determining the purposes or means of processing personal data.
The CPO role is more operationally focused, and there is more flexibility in how it can be organized. The CPO may report to the General Counsel, CEO or Corporate Affairs Officer, or Head of Compliance, depending on the existing organizational split of responsibility and the key components of the role. If the role is mostly involved in advising and counseling around operational data protection matters, it may make sense to organize the role in the legal function. If the role is expected to take a more prominent role in raising awareness, training, and governance development, it may make more sense to place the role in compliance. If data processing is a fundamental part of the core activities of the organization and customer trust in the data processing activities is critical, it may make sense for the CPO to report to the CEO or Corporate Affairs Officer.
As requirements get more specific and complex, the need for close sparring with data protection experts will increase. The organizations must be mindful that the CPO and DPO fulfill two important but also very different roles.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – info@delta-data-compliance.com
