On the third anniversary of the General Data Protection Regulation, Cooley launched a series of webinars focused on the GDPR.

As set out in the GDPR, the data protection officer (DPO) plays a crucial role in the data privacy landscape, so our second webinar covers what we consider to be the 10 most common mistakes organizations make when deciding whether to appoint a DPO.

#1: Misunderstanding the DPO role

A DPO plays an intermediary role between the organization, the data subjects and the supervisory authorities. Therefore, when appointing a DPO, the organization should publish the contact details of the DPO so they are available to data subject and communicated to the relevant supervisory authorities.

Please note that a group of entities may appoint a single DPO – if the DPO is easily accessible from each establishment.

#2: We always need a DPO

Not all organizations need to appoint a DPO.

A DPO is required under the GDPR in basically three scenarios: for public authorities; when the organization carries out regular and systematic monitoring of data subjects on a large scale; or when the core activities of the organization involve processing of special categories of data or criminal convictions on a large scale. Your organization should also consider any additional requirements under local laws (e.g., in Germany or Spain) to determine whether a DPO is needed.

#3: Deciding to appoint your chief information security officer (CISO) as DPO

Organizations must carry out an ad hoc assessment to determine who is the right person to be appointed as a DPO. The DPO may be a staff member of the organization with other tasks and duties – if they do not result in a conflict of interest. The organization should always have internal protocols to ensure that the DPO is independent.

Roles such as the CISO or the general counsel may easily have a conflict of interest because they are members of business units who are involved in determining the means and scope of the data processing activities carried out by the organization.

The DPO should be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices, as well as the ability to fulfil the tasks of the role.

#4: I am a processor. I don’t need a DPO

The requirement to appoint a DPO applies to both controllers and processors. A processor that meets the thresholds mentioned in #2 above needs to appoint a DPO.

#5: Assuming your DPO needs to be based in the European Union

DPOs don’t need to be established in the EU, as long as they meet the requirements of the role from a GDPR and local law perspective. Although it is helpful if your DPO is based in the same time zone and speaks the same language as the main supervisory authority, it is not required.

#6: We have a DPO – we don’t need a representative too

The requirements to have a DPO and to appoint a representative are not connected. These are two separate obligations under the GDPR. The DPO can’t be the same person as the EU representative, as the EU representative role is incompatible with the independent criteria needed for the DPO.

#7: Failing to properly document disagreements with the DPO’s recommendation

It is acceptable for an organization to disagree with the DPO, but the organization needs to document the business decision and why the organization is not following the DPO’s recommendation.

#8: Not understanding when a DPO can (or can’t) be dismissed

DPOs do have certain protections to preserve their independence, and under the GDPR, they are protected from detriment and dismissal. However, DPOs are not protected under all circumstances – for example, if they are guilty of discrimination, gross misconduct, etc., they can be dismissed.

#9: Misunderstanding the DPO’s liability for what your business does

The DPO is not liable for breaches made by an organization, but this does not mean that the DPO is exempt from all liability. The DPO has the same responsibility as any other employee in the business in relation to the performance of the job’s functions.

#10: Assuming that having a DPO makes your organization compliant with the GDPR

Just appointing a DPO will not make your organization automatically compliant with the GDPR. It’s an important step toward compliance with the GDPR, but your organization still needs to meet all other obligations and implement all requirements under the GDPR to be fully complaint.

Cooley’s cyber/data/privacy group
  • 50+ lawyers globally counseling on privacy, cybersecurity and data protection matters
  • Holistic approach to compliance and security that’s built to preserve and protect enterprise value
  • Market-leading privacy and data breach litigation

David Navetta

Ann Bevitt

Enrique Capdevila

Amal Ali

Posted by Cooley