GDPR Readiness FAQ: Data Protection Officer
We’ve previously written about the EU’s new GDPR directive that will take effect in 2018. To recap, the General Data Protection Regulation (GDPR) is a directive that was passed on 26 April 2016, specifying the new guidelines regarding cookies and other forms of data collection. The directive will result in stricter safety measures and greater transparency for any company that monitors and collects personal data. This applies to every country in the EU, as well as the UK.
If your business monitors and/or collects personal data, you need to be prepared by 25 May 2018 or face fines of up to €20 million/4% of your annual revenue.
Since then, a few clarifications and additions have come out, specifically regarding the so-called DPO or Data Protection Officer. The appointment of a Data Protection Officer is one of the more vague regulations in the directive, and it applies to any business “whose core activities involve the monitoring of personal data”. But what exactly does that mean? Do you need to appoint a DPO in your business? Read on to learn more about the details, and how we at Aesir can help.
Article continues below
Want to talk?
Call Jim Vestergaard and find out
how we can help your business
Jim VestergaardCSO // VP of Partner Channel
+45 22 919 684
What is a Data Protection Officer?
The DPO is an officially appointed permanent and mandatory position. The DPO occupies a central counseling and monitoring role in the business or organisation. Their work assignments include:
- Managing policies that ensure compliance with the GDPR, and instructing other employees and leadership in properly following data collection protocols
- Occupying a public position as the point of contact for any inquiries and user requests regarding personal data and how it is handled, including removal
- Must be part of any deliberation and implementation of the requirements related to the GDPR and any internal data policies
- Risk assessment and management in relation to the organisation’s data collection policies and the priorities thereof
- The DPO is responsible for communicating any information regarding data and security breaches and notifying the right people
Does my organisation or business need to appoint a Data Protection Officer?
A Data Protection Officer is mandatory for any public authority or body that processes personal or sensitive data, irrespective of the kind of data. It is also mandatory for some private businesses, but only if certain conditions are met. Any company can voluntarily appoint a DPO if they so wish. Three requirements must be satisfied for a private company to appoint a DPO:
- Monitoring and processing of personal data must be part of the business’ core activities
- The relevant processing and monitoring of personal data must take place on a large scale
- The processing operations consist of regular and systematic monitoring of data subjects
Neither of these three conditions have been fully defined as of yet.
If you do not meet these requirements, the appointment of a DPO is not necessary. However, you do need to be able to document that fact.
What does “personal data” involve?
Any general data relating to name, gender, ID numbers, location, medical, economic, and social status.
What does “sensitive data” involve?
- Race or ethnicity
- Political, religious, or philosophical beliefs
- Any trade-union affiliation
- Genetic or biometric data for the purpose of identification
- Information about health status or sexual relations
- Data on criminal convictions or child care certificates
What does “core activities” imply?
Any key operations meant to achieve the controller’s or processor’s objectives, and activities where the processing of data forms is an inextricable part. This can apply to e.g. advertising agencies, insurance companies, medical clinics, recruitment bureaus, internet service providers, cloud computing services, unions, travel or credit companies, any company using geo-location on a large scale.
Essentially, is your product or service fundamentally dependent on monitoring and processing personal data? If so, it is a core activity.
Things that are not core activities:
- Communication with clients
- Sales and support
- Handling data regarding employees
What does “large scale” imply?
Anything beyond a small private medical clinic or an independently practising lawyer, e.g. hospitals, both public and private, insurance companies, unions, travel agencies.
What does “systematic monitoring” imply?
All forms of tracking and profiling on the internet, including for the purposes of behavioural marketing. “Regular” means the monitoring is ongoing and/or repeated, either periodically or constantly. “Systematic” means it is pre-arranged and organised as part of a plan or strategy in relation to a system. This includes:
- Running a communications network
- Credit evaluations
- Location tracking via website or apps
- Behavioural marketing
How does the Data Protection Officer fit into my organisation or business?
The DPO is an independent position, and as such has to remain impartial. Factors of this position include:
- They are to be sufficiently included in all manners relating to data protection in a timely manner, and they need the proper resources to be able to do their job
- No outside influence or reprimand can be applied to them for doing their assigned tasks
- They report to the top leadership only, and are allowed to perform other tasks as long as there is no conflict of interest
- A DPO can also serve as a business’ compliance officer, overseeing and managing regulatory issues
- If your company deals with extremely high volumes of data to process, the DPO can establish an internal office of data protection
Who can be a Data Protection Officer?
- Any employee, as long as there is no conflict of interest, and as long as they are not in charge of the organisation’s data monitoring, i.e. head of IT or HR
- A conglomerate or group of businesses can appoint a common DPO, as long as every branch has the same level of access
- It is possible to hire a third party contractor to fill the role of the DPO, for example a lawyer or accountant, as long as there is no conflict of interest
What qualifications should a DPO have?
- Expertise in the field of data protection and the regulations surrounding data protection
- Be able to perform the tasks associated with the DPO
- No specific education is required to fill the role of a DPO
- Legal and practical experience with data protection regulations is appropriate depending on the scale and complexity of data processing
The required level of expertise is not defined, but it should be equivalent to the sensitivity and quantity of the data processed by the organisation or business. The DPO also needs to understand how to develop and implement general data protection practices.
How can Aesir help me with the GDPR and the DPO?
Aesir is our revolutionary context marketing platform that provides a full digital transformation with large-scale content management, user behaviour analysis, and quick and easy cross-channel delivery.
Aesir Cookies stores data internally, allowing you to collect all the data you need as well as logging it via functional cookies. This reduces the risk of security breaches, and you will not need to provide additional opt-in protocols on your website.
Alternatively, an Aesir solution can be configured to give users the ability to delete their data themselves, which would otherwise be the manual responsibility of the DPO. Aesir can also be integrated with external tools and apps to consolidate data collection.
Aesir can automatically log any security issues or breaches by monitoring selected processes, and can then notify the DPO in the event of any changes, allowing for a quick response .
The Power of Context Marketing
Through our engagement analysis system, Aesir can collect behavioural data that goes beyond the traditional definition of personal and sensitive data, and more about how users choose to engage with your website. This allows you to use behavioural advertising in a new way, focusing more on experience and engagement than self-submitted personal data.
Depending on a user's journey, Aesir can tell you many things about them that are unrelated to their personal data, such as which subpages they use the most, what colour they prefer in a webshop, what search terms they use, how they found your site and when they leave again. Aesir turns these statistics into a practical engagement metric that you can use to improve your user experience.
Feel free to contact us regarding your available options in preparation for the GDPR and the appointment of a DPO. There are only about 400 days left until 25 May 2018, so make sure you are on the right track for a smooth transition into the new regulation.
Expand your online knowledge
The Perfect User Journey - How Context Reinvents Inbound Marketing
How do you, as a marketer, appeal to a large and diverse crowd of people using one unified message?Read more