Tip

Assessing GDPR's data protection officer requirements

The GDPR's data protection officer mandate gives the EU a point person for compliance complaints, but not all companies need one. See when DPOs are required and what they do.

The General Data Protection Regulation requires many companies to appoint a data protection officer. While this person probably won't win any popularity contests, having someone in charge of personal data privacy for both customers and employees can help ensure compliance.

The data protection officer requirements (DPO) under Article 37 of the General Data Protection Regulation (GDPR) state that public authorities and entities that conduct data monitoring of European Union (EU) citizens on a large scale must appoint a DPO. Every organization with more than 250 employees doing business in the EU must have a DPO, as well as smaller companies that process large volumes of EU user data, like advertising and marketing service vendors.

GDPR doesn't only protect consumers' data; employees based in the EU are protected, as well. Consequently, managers must make sure they have mechanisms in place to help employees find out how their company manages their personal data and where it is sent for processing and storage. This could be as simple as one payroll service, or more complex if several different cloud services are used as part of various HR processes, such as training, income reporting or workforce analytics.

GDPR data protection officer requirements

The DPO must work with IT and security teams to audit the existing IT systems and identify where personal data is stored and how it might be compromised. DPOs also have to oversee training programs and work with others to ensure workers understand the ins and outs of GDPR compliance.

A DPO must assess the company's data collection and management practices, recommend training and compliance procedures, and document the process.

A DPO must assess the company's data collection and management practices, recommend training and compliance procedures, and document the process. The most challenging part is that they also have to take complaints from individuals and authorities, so they have a stake in ensuring that everyone does their part.

GDPR specifies the minimum data protection officer requirements as:

  • informing and advising the organization and employees about their data privacy management obligations;
  • monitoring compliance, including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits; and
  • being the first point of contact for authorities and individual inquiries.

Different kinds of DPOs

A DPO can be hired to work in-house or can work under contract for multiple companies. This means smaller firms can outsource data protection tasks. One of the main GDPR data protection officer requirements is that the DPO maintain some independence from other executives so that their recommendations will be difficult to override.

GDPR's definition of personal data
How the GDPR data protection rules define personal data

If an enterprise decides to hire an outside DPO, it's probably a good idea to find one that already works with companies in the same vertical. The privacy infrastructure and workflows in marketing are going to be different than those in verticals like telecom, finance or packaged goods. DPO Network Europe has a decision tree to help companies find a good DPO fit.

In a call center, for example, a DPO's questions will likely include:

  • Do you have consent for all customer communications?
  • If not, is there a legal reason that it is not required? For example, calls for certain kinds of debt collection, to businesses or when there is a prior relationship may fall outside of basic requirements.
  • How do you document and record consent and make it available?
  • What is the time limit on consent and how will you make agents aware that it has expired?
  • How do agents flag personal information, and how do you ensure it is flagged appropriately?

Creating a culture of GDPR compliance

Continuing with the call center example, some key ways that call center leaders can work with a DPO include auditing call center processes, documenting these processes and documenting the training approach for workers that touch personal data. Call center leaders also need to work with the DPO to identify places where agents or processes fall short in terms of GDPR compliance.

This is going to be a thorny process in practice because the only way to get better is to track where you fall short. What happens when you discover privacy violations internally? Will the manager be responsible for reporting these to the DPO? And, if so, will that lead to fines for the company or, worse, demotions or other sanctions against the manager or workers that were responsible?

If the goal is to meet the minimum GDPR compliance goals, there is an incentive to hide problems from management and the DPO. In the long term, this could lead to major data breaches that hurt customers and the company's image, in addition to large EU fines. In this case, managers just need to focus on filling out the section of the GDPR documentation specified under data protection officer requirements.

Another approach would be to focus on creating a culture of trust that recognizes that people make mistakes. However, this approach requires senior management to foster a culture of respect. In this case, call center managers would need to work with call center agents to encourage them to discuss problems in a way that minimizes blame.

Dig Deeper on Customer data management