Last year, US-based companies that market their products in any of the 28 member states of the European Union have had some homework to do. The famous General Data Protection Regulation (GDPR) is on its way and it’s going to be a game changer for many businesses. One of the most important modifications is the obligation to appoint a Data Protection Officer for controllers and processors involved in high-risk processing activities. Do you need to start hunting for a DPO or not?
Brief context
In May 2018, the EU’s General Data Protection Regulation (GDRP) is set to take effect, bringing the greatest change in data privacy and security in 20 years. EU-based companies, as well as international corporations, should be in the process of ensuring GDPR compliance by May 2018. The GDPR is designed to strengthen and unify data protection for EU citizens, regulations now including how the data is collected, stored, processed and destroyed. The new rules apply to Eurozone companies as well as those based in the U.S.
According to Article 3, a company is subject to the new regulation if it processes personal data of an individual residing in the EU when the data is accessed. In short, companies with no physical presence in the EU, but operating in fields such as software services, e-commerce, logistics, travel and hospitality with business in the EU should already be in the process of ensuring GDPR compliance. Fines are up to €20 million or 4% of the global annual turnover for the preceding financial year, whichever is higher.
Which organizations are required to appoint a DPO? Definitions and examples
According to Article 4 of the EU GDPR, the organizations that determine the means of processing personal data are controllers, regardless of whether or not they directly collect the data from data subjects. The term processor refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
For example, a bank is considered a controller, as it collects data from its clients. In this case, another organization is the processor, the one that stores, digitizes, and catalogs all the information gathered by the bank. Processors are mainly datacenters or document management companies. In this example, both organizations are handling sensitive data.
The present perspective is that an organization needs a DPO or access to the advice of a DPO unless it can show that it doesn’t.
Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:
- The processing is carried out by a public authority
- The core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale
- The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions / offences.
“Core activities” and “large scale”
Core activities should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. The guidelines on GDRP, released by the EU’s Article 29 Working Party, gave us a few examples and shed some light on core activities.
Example 1: A private security company carries out the surveillance of a number of private shopping centers and public spaces. Surveillance is the core activity of the company, which in turn is inextricably linked to the processing of personal data. Therefore, this company must also designate a DPO.
Example 2: The core activity of a hospital is to provide healthcare. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing data should be considered to be one of any hospital’s core activities and hospitals must therefore designate a DPO.
In the same document we find some recommendations to be considered when determining whether the processing is carried out on a large scale:
– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
– The volume of data and/or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– The geographical extent of the processing activity
Examples of large-scale processing include:
– processing of patient data in the regular course of business by a hospital
– processing of travel data of individuals using a city’s public transport system
– processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in providing these services
– processing of customer data in the regular course of business by an insurance company or a bank
– processing of personal data for behavioral advertising by a search engine
– processing of data (content, traffic, location) by telephone or Internet service providers
Examples that do not constitute large-scale processing include:
– processing of patient data by an individual physician
– processing of personal data relating to criminal convictions and offences by an individual lawyer
According to a study, it is estimated that as many as 75,000 DPO positions will be created in response to the GDPR around the globe. The number of US companies that would be obliged to comply is on the order of 9,000. Have you started looking for a candidate yet?
