Businesses collecting and processing personal information are at extreme risk. The month of July 2021, was particularly concerning as Amazon was fined a record $886.6 million for allegedly violating the European Union’s General Data Protection Regulation (“GDPR”), while TikTok was fined 750,000 euros ($885,000 US) for failing to post its privacy statement in Dutch. The reality is, data protection authorities are becoming more active in the enforcement of data protection regulations and they are not going to slow down.
Advisori is in the business of privacy risk management and our clients seek guidance on how to effectively manage their privacy risks using their available resources. One of the most frequent questions we get is whether or not the business is required to appoint a data protection officer (“DPO”). The legal answer to that question is relatively straightforward as outlined by Article 37 of the GDPR; if a business collects data of European citizens and any one of the following apply, the appointment of a DPO is a regulatory requirement:
- The organization is either a public authority or body;
- The business’s core activities include (but are not limited to) the ongoing monitoring and processing of data subjects on a large scale (e.g., the numbers of data subjects, the volume of personal data being processed; etc.); or
- The business’s core activities include the large-scale processing or retention of sensitive information such as health data, religious affiliations, gender, or sexual orientation, or data related to criminal histories.
For organizations that are not legally required to appoint a DPO, we suggest that they should still consider doing so where the business handles personal information, especially that of European citizens. For instance, Article 37 dictates that the DPO should be a subject matter expert in the realm of data protection law and practices. A DPO is also responsible for staying abreast of the corporate privacy policies and procedures to fully comprehend how data is being collected, used, shared, and retained by the business. Moreover, as Article 39 lays out, the DPO serves as the liaison between the business and regulatory authorities. Finally, and maybe most importantly, a DPO interacts with data subjects by both servicing their data subject access rights requests and answering customer questions related to how the business collects, processes, and protects personal information.
An experienced DPO serves a critical risk mitigation function. As international and state privacy laws become more prevalent and as privacy regulators take a more aggressive position on enforcement, businesses must navigate a complex and ever-changing regulatory landscape (consider the adoption of the GDPR and the ever-expanding list of jurisdictions that are adopting the same or similar data privacy protections). A DPO can significantly reduce privacy risk by advising the business on data protection best practices, managing critical operational data protection activities like data security assessments and audits, as well as providing employees with data protection education, training, and strategies.
However, the DPO is not just an “insurance policy.” Having a DPO sends a strong message to the marketplace that the business takes data privacy and protection seriously. In a tightening competitive landscape, that difference could be critical for any business because customers are demanding that businesses respect and ensure their privacy.
In sum, a DPO serves as the face of a business’s data protection program by ensuring critical regulatory compliance and by demonstrating, to data protection authorities and to the public, that the business is serious about data protection and customer privacy.