Data Protection Officer - GDPR updates profession
On May 25, 2018, a new European regulation on personal data protection (hereinafter GDPR - General Data Protection Regulation) entered into force . This regulation is known for its extraterritorial action: it is mandatory for use in all EU countries, and under certain conditions extends to non-European companies or forces them to bring their activities into conformity with the requirements of the GDPR, so as not to lose their European partner. Consequently, Russian business can also be affected by a new law, a general analysis of which is available here . The GDPR strengthens the previously established personal data protection regime, and also introduces new obligations for organizations processing such data.
In particular, the regulations carried out a modernization of the already existing profession of a data protection officer (hereinafter referred to as DPO - Data Protection Officer). This post was also provided for in the framework directive of 1995 , which was replaced by a new text. Previous legislation regulated the activities of such a specialist, but did not insist on his appointment without fail.
When do I need to assign a DPO?
Today, in the GDPR era, the appointment of a DPO has become mandatory in the following cases ( article 37 of the GDPR ):
- In companies that systematically and regularly carry out large-scale monitoring of persons (most often we are talking about monitoring for contextual advertising);
- In companies that carry out large-scale processing of specific categories of personal data, such as health data, etc .;
- In any public bodies that carry out the processing of personal data.
In all other cases, the appointment of a DPO remains optional. Nevertheless, European regulators are unanimously urging not to neglect such a specialist and delegate the power to protect personal data to a professional in this field.
This innovation of the European legislator is easily explained by the philosophy of the regulation itself: enhanced data protection; increased responsibility of data processors; huge sanctions in case of violation of the dispositions of the GDPR. To bring their activities in line with new requirements, enterprises need the support of highly targeted specialists.
Lack of DPO services
True, parliamentarians did not take into account or simply ignored the fact that the current market for personal data protection services is not ready to withstand such an influx of new customers who are forced to recruit DPO. Despite the fact that this profession has existed for more than one day, the number of specialists leaves much to be desired even in the European market. So, according to IAPP (International Association of Privacy Professionals) research , 28 thousand specialists should be hired in 2018 only in the EU and the USA. And worldwide, this figure rises to 75 thousand.
Obviously, such demand cannot be satisfied solely by in-house professionals (internal employees of companies). In this regard, many companies turn to external consulting organizations that provide DPO services. For example, for representatives of medium and small businesses, this may be much easier than hiring a new employee. In any case, external or internal status has almost no effect on the activities of the DPO itself.
DPO - a lawyer or IT specialist?
First of all, you need to understand that the DPO must have legal knowledge. Such a conclusion follows directly from Article 39 of the European Regulations, which lists the tasks and missions of the DPO. To a greater extent, it is, of course, a lawyer. In addition, it should be a lawyer who has strong management skills and proper technical expertise, that is, the manager.
More rarely, information technology specialists, who have only a basic understanding of law, act as DPOs. True, this situation is typical of Western countries. In the domestic market for the protection of personal data is dominated by IT-specialists, and not lawyers. Already entered into force, the GDPR should tip the scales to the side of lawyers and in Russia, more precisely, specialized lawyers.
Anyway, large corporations, of course, prefer to hire some specialists to ensure IT security and others for personal data. Small and medium businesses are trying to make a choice in favor of one employee who is competent in both areas.
Why is this happening? The answer lies on the surface: GDPR places on companies too wide a range of responsibilities.
On the one hand, it is necessary to ensure the security of personal data, to respond correctly in case of leakage. This is usually done by "IT specialists". On the other hand, it is necessary to conclude contracts that legally comply with the requirements of the regulations, maintain specially provided registries, contact with supervisory authorities and perform other “paper” duties. And lawyers, sometimes still managers are usually engaged in it.
As a result, a good specialist in the field of personal data is a peculiar mix of all these professions.
What does DPO do?
As for the perimeter of the DPO, such an employee will do everything necessary to ensure that the company fully complies with European regulations and other acts in the field of personal data protection and thus avoids major sanctions, as well as contractual risks with partners.
DPO will conduct a general audit of activities, identify all categories of personal data processed by the company, propose measures to ensure their security, as well as a general development strategy towards the legitimate use of data. He will negotiate with the supervisory authority, if necessary. It will also help to respond to requests of persons whose data are processed by the company. In general, almost everything related to personal data will fall under the perimeter of the DPO.
Whether to neglect such an employee in the era of the GDPR, as well as in the midst of major scandals with the leakage of personal data, is already up to the companies to decide. But once again, it is necessary to solve this only for those who do not have a direct obligation to appoint a DPO.
Features of the provision of DPO services
When an organization thinks about recruiting a DPO, it is important to understand that there are two main types of service provision in this area: the above-mentioned in-house and consulting. In the first case, the hiring of an employee occurs under an employment contract, in the second - an external consulting company provides DPO services under a civil law contract. Regardless of the option chosen, the company itself will remain the legally responsible person. DPO is not in any way responsible for the company's failure to comply with the dispositions of the GDPR.
In addition, the European regulations strictly provide for the complete independence of the personal data protection specialist. In the case of an in-house, a DPO can only be accountable to the person in the highest position in the hierarchy. In the case of external consulting, the DPO should not be in a conflict of interest situation, which is often the case if it is, for example, a lawyer.
In any case, conflicts of interest and the independence of DPOs are always checked by the supervisor in the field of personal data protection. This is a mandatory process and any DPO assignment must be declared to the regulator. In other words, each time a DPO is appointed, the supervisor must be notified.
For more information about the various subtleties associated with the appointment of a DPO as a mandatory and non-mandatory, as well as its functions and missions can be found in the Guideline of the WP29 working group . This organization existed in the era of the framework directive 1995, and its main task was the interpretation of legislation in the field of personal data protection. With the entry into force GDPR, to replace the Working Group came to the European Council on data protection (European Data Protection Board), but the work WP29 not lost their importance.
Few insider stories about the DPO profession
Today, it is completely incomprehensible what kind of background the applicant of a DPO position in Russia should have. Educational institutions almost do not provide special programs in the field of digital law or the protection of personal data. Of course, the demand in the domestic market is several times less than in the European one, but not enough to justify such a gap. Major law schools are just beginning to introduce special courses in the direction of IT.
Many international organizations have long provided various methods of certification. For example, the already mentioned IAPP offers a preparatory course on the GDPR and certifies those who successfully passed the exam. This course is available to all comers and IAPP accreditation is highly valued throughout the world.
With regard to the profitability of the profession, if you believe, for example, the French association of persons responsible for the protection of personal data, the earnings of the average DPO in Europe range from 2.5 thousand to 4 thousand euros. This plug roughly corresponds to the average income of a European programmer. As a conclusion, we can expect an approximate equality between the incomes of these two professions and in the domestic market.
Summing up, it is necessary to emphasize that Data Protection Officer is a young profession, which received a significant impetus to development due to the entry into force of the new European regulation of GDPR. Today, the protection of personal data on GDPR is a scientific trend that companies around the world need to pay attention to, not just in Europe. In the near future, full-fledged cooperation with European partners will become possible only if the GDPR is observed, which is difficult to imagine without integrating the DPO profession at least in the consulting services sector.