Data Protection Officer employment — or outsourcing?
As the GDPR deadline draws closer, many European companies are considering Data Protection Officer employment requirements. But unless you are huge and can afford to employ best of the best privacy experts, outsourcing might be a better option for your Data Protection Officer than employment.
Data protection or privacy, as it is more often called in in the US, is a specific area of knowledge at the intersection of law, ICT, and risk management. Companies who will soon be, under the EU General Data Protection Regulation (GDPR), required to appoint a Data Protection Officer due to the nature and intensity of their personal data processing activities are therefore unlikely to get away with appointing their in-house ‘usual suspects’.
What qualifications are required for a Data Protection Officer?
Data Protection Officer is not the same as Chief Data Officer. He or she is not an expert on data processing as such but on privacy implications of such activities. Similarly, a Data Protection Officer is not the Head of Cybersecurity. Although there is likely to be some overlap, the Data Protection Officer’s focus is not the security of the systems but the safety of personal information they contain. This includes the privacy risks due to internally well-planned processing activities such as Big Data analytics.
Can my HR Officer serve as Data Protection Officer?
This might actually be one of the worst possible choices, and not only because personal data is not limited to HR data. First, your HR officer is likely to be in conflict of interest because he or she would often determine the purpose and means of employee data processing. Second, they are highly unlikely to be privacy experts.
Can my Head of IT serve as Data Protection Officer?
No. Even if your Head of IT remains relatively passive when it comes to determining the purpose of personal data processing, he or she would be in charge of the means of processing. This would involve making data processing thorough and cost-efficient, which inevitably generates conflict of interest when it comes to individuals’ privacy rights.
Can I outsource my Data Protection Officer?
Since employing a full time privacy expert might be too expensive, the obvious question is: can I have an external Data Protection Officer? The answer according to the GDPR is yes. Moreover, according to the Article 29 Working Party Guidelines on Data Protection Officers, the appointed Data Protection Officer can be a company or another organisation.