GDPR Readiness FAQ: Data Protection Officer

What is a Data Protection Officer?

The DPO is an officially appointed permanent and mandatory position. The DPO occupies a central counseling and monitoring role in the business or organisation. Their work assignments include:

• Managing policies that ensure compliance with the GDPR, and instructing other employees and leadership in properly following data collection protocols
• Occupying a public position as the point of contact for any inquiries and user requests regarding personal data and how it is handled, including removal
• Must be part of any deliberation and implementation of the requirements related to the GDPR and any internal data policies
• Risk assessment and management in relation to the organisation’s data collection policies and the priorities thereof
• The DPO is responsible for communicating any information regarding data and security breaches and notifying the right people

Does my organisation or business need to appoint a Data Protection Officer?

A Data Protection Officer is mandatory for any public authority or body that processes personal or sensitive data, irrespective of the kind of data. It is also mandatory for some private businesses, but only if certain conditions are met. Any company can voluntarily appoint a DPO if they so wish. Three requirements must be satisfied for a private company to appoint a DPO:

• Monitoring and processing of personal data must be part of the business’ core activities
• The relevant processing and monitoring of personal data must take place on a large scale
• The processing operations consist of regular and systematic monitoring of data subjects

Neither of these three conditions have been fully defined as of yet.

If you do not meet these requirements, the appointment of a DPO is not necessary. However, you do need to be able to document that fact.

What does “personal data” involve?

Any general data relating to name, gender, ID numbers, location, medical, economic, and social status.

What does “sensitive data” involve?

• Race or ethnicity
• Political, religious, or philosophical beliefs
• Any trade-union affiliation
• Genetic or biometric data for the purpose of identification
• Information about health status or sexual relations
• Data on criminal convictions or child care certificates

What does “core activities” imply?

Any key operations meant to achieve the controller’s or processor’s objectives, and activities where the processing of data forms is an inextricable part. This can apply to e.g. advertising agencies, insurance companies, medical clinics, recruitment bureaus, internet service providers, cloud computing services, unions, travel or credit companies, any company using geo-location on a large scale.

Essentially, is your product or service fundamentally dependent on monitoring and processing personal data? If so, it is a core activity.

Things that are not core activities:

• Communication with clients
• Sales and support
• Handling data regarding employees

What does “large scale” imply?

Anything beyond a small private medical clinic or an independently practising lawyer, e.g. hospitals, both public and private, insurance companies, unions, travel agencies.

What does “systematic monitoring” imply?

All forms of tracking and profiling on the internet, including for the purposes of behavioural marketing. “Regular” means the monitoring is ongoing and/or repeated, either periodically or constantly. “Systematic” means it is pre-arranged and organised as part of a plan or strategy in relation to a system. This includes:

• Running a communications network
• Credit evaluations
• Location tracking via website or apps
• Behavioural marketing

How does the Data Protection Officer fit into my organisation or business?

The DPO is an independent position, and as such has to remain impartial. Factors of this position include:

• They are to be sufficiently included in all manners relating to data protection in a timely manner, and they need the proper resources to be able to do their job
• No outside influence or reprimand can be applied to them for doing their assigned tasks
• They report to the top leadership only, and are allowed to perform other tasks as long as there is no conflict of interest
• A DPO can also serve as a business’ compliance officer, overseeing and managing regulatory issues
• If your company deals with extremely high volumes of data to process, the DPO can establish an internal office of data protection

Who can be a Data Protection Officer?

• Any employee, as long as there is no conflict of interest, and as long as they are not in charge of the organisation’s data monitoring, i.e. head of IT or HR
• A conglomerate or group of businesses can appoint a common DPO, as long as every branch has the same level of access
• It is possible to hire a third party contractor to fill the role of the DPO, for example a lawyer or accountant, as long as there is no conflict of interest

What qualifications should a DPO have?

• Expertise in the field of data protection and the regulations surrounding data protection
• Be able to perform the tasks associated with the DPO
• No specific education is required to fill the role of a DPO
• Legal and practical experience with data protection regulations is appropriate depending on the scale and complexity of data processing

The required level of expertise is not defined, but it should be equivalent to the sensitivity and quantity of the data processed by the organisation or business. The DPO also needs to understand how to develop and implement general data protection practices.

How can Aesir help me with the GDPR and the DPO?

Aesir is our revolutionary context marketing platform that provides a full digital transformation with large-scale content management, user behaviour analysis, and quick and easy cross-channel delivery.

Aesir Cookies

If most of your data monitoring and processing is done via the use of cookies, for example in advertising, this falls under one of the DPO requirements for a large scale core activity. One notable feature of Aesir is its use of functional cookies, which the EU has declared do not require explicit user consent to be collected. 

Aesir Cookies stores data internally, allowing you to collect all the data you need as well as logging it via functional cookies. This reduces the risk of security breaches, and you will not need to provide additional opt-in protocols on your website.

Data Automation

Alternatively, an Aesir solution can be configured to give users the ability to delete their data themselves, which would otherwise be the manual responsibility of the DPO. Aesir can also be integrated with external tools and apps to consolidate data collection. 

Aesir can automatically log any security issues or breaches by monitoring selected processes, and can then notify the DPO in the event of any changes, allowing for a quick response .

The Power of Context Marketing

Through our engagement analysis system, Aesir can collect behavioural data that goes beyond the traditional definition of personal and sensitive data, and more about how users choose to engage with your website. This allows you to use behavioural advertising in a new way, focusing more on experience and engagement than self-submitted personal data.

Depending on a user's journey, Aesir can tell you many things about them that are unrelated to their personal data, such as which subpages they use the most, what colour they prefer in a webshop, what search terms they use, how they found your site and when they leave again. Aesir turns these statistics into a practical engagement metric that you can use to improve your user experience.

Feel free to contact us regarding your available options in preparation for the GDPR and the appointment of a DPO. There are only about 400 days left until 25 May 2018, so make sure you are on the right track for a smooth transition into the new regulation.