Insights from Osborne Clarke’s legal experts on the role of data protection officers under the new European Data Protection Regulation for the advertising industry.
The new General Data Protection Regulation (GDPR) is set to introduce the role of the data protection officer (DPO) on the European stage with effect from 2018. Under the new regime, companies in the advertising sector – regardless of whether they are acting as a data controller or merely a data processor – may be obliged to appoint a DPO. Below we point out the particularities of those obligations and respective cases.
We further illustrate the role of the DPO and his or her beneficial value for the respective supervised entity as well as the possibility of appointing data protection lawyers as external DPOs by example of gathered experiences in Germany.
1. The (in-)significance of DPOs under the current regime – a German success story
On a European scale, the DPO is currently a rather neglected concept, as the foundation of the current data protection regime in Europe, Directive 95/46/EC (the “Directive”), does not stipulate any obligation for data processing entities to appoint a DPO. Consequently, most of the corresponding national laws of member states, for instance the UK Data Protection Act 1998 (“DPA”), do not make any mention of the DPO.
Nonetheless, the Directive provides a potential field of application for DPOs with significant practical impact. Under the Directive, as a rule any intended processing operation of personal data has to be preliminarily reported to the competent supervisory authority. In the UK this rule is implemented by way of the requirement in the DPA that almost all data controllers must notify with the Information Commissioner’s Office.
However, member states are free to allow exemptions from the aforementioned notification duty, inter alia in the case of data controllers appointing a DPO. As an internal supervisory entity, the DPO is supposed to ensure compliance with data protection law from within the respective data processing entity, which ultimately warrants a suspension of the preliminary notification duty.
In order to avoid (unnecessary) red tape for controllers as well as for supervisory authorities, for instance Germany (as well as France, Luxemburg, the Netherlands and Sweden) has made use of this workaround. Under the current German Federal Data Protection Act, the obligation to preliminarily notify the supervisory authority is suspended if the respective entity appoints a DPO.
Whereas the other aforementioned jurisdictions have introduced the DPO as a mere voluntary feature, the German legislator went further as, generally speaking, any entity in Germany employing at least 10 persons who on a regular basis deal with automated processing of personal data (e.g. customer or employee data), is actually obliged to appoint a DPO. As a result, basically any medium-sized business utilising customer relations management systems or payroll software has to designate a DPO.
Since its inception the position of the DPO has developed into an inherent pillar of the German data protection landscape. DPOs tend to carry out their tasks very diligently and the supervised entities hold the DPOs’ opinions and criticism in high regard. DPOs work towards the compliance of their respective companies with data protection law and thus serve as a highly functional and valuable part of the business. They further enhance relations to both data subjects as well as administrative supervisory authorities.
Further below we display more benefits that appointing a DPO may have for your business.
2. Will I need one? – Obligations to appoint a DPO under the new regime
Even though the GDPR has abstained from a general preliminarily notification duty, on the wings of its success in Germany, the concept of the DPO as an internal supervisory entity has been implemented within the new regime of the GDPR. However, in comparison to the far reaching obligations pursuant to current German law, the GDPR applies a far more limited approach.
Under the GDPR, in particular relative to advertising companies, a DPO must solely be designated by any entity whose core activities:
- “consist of processing operations which […] require regular and systematic monitoring of data subjects on a large scale” or;
- “consist of processing on a large scale of special categories of data”,
“Special categories of data” comprise personal data relating to racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, health, sex life or sexual orientation and also now genetic or biometric data processed for unique identification purposes.
The recitals of the GDPR further clarify that the core activities of an entity are its primary activities and do not relate to the processing of personal data as ancillary activities. Thus it is fair to assume that for instance companies handling employee data but not indulging in large scale monitoring of data subjects will not have to appoint a DPO even though employee data generally contains special categories of data.
Moreover, it must be noted that a DPO will have to be appointed regardless of whether the respective entity is acting as a data controller or merely a data processor.
As the GDPR provision primarily targets entities carrying out “systematic monitoring of data subjects”, focusing for a moment on advertising businesses, in particular any such companies dealing in behavioural advertising or providing any such services to other companies, will most likely fall within its scope: since the GDPR regards online identifiers like IP addresses and cookies as personal data if they are being used to identify individuals, such businesses will find it hard to argue they are not processing personal data and thus are not obliged to appoint a DPO, even if they do not know the names of the individuals involved.
Any other advertising businesses, even “analogue” direct mailing shops, will have to check if they are handling special categories of data of their respective recipients and thus will be obliged to designate a DPO.
Finally, it has to be pointed out, that the GDPR enables member states to adopt further obligations for entities around the appointment of DPOs. As in particular the direct marketing sector has traditionally been highly regulated with regard to the use of personal data, it is conceivable that member states will opt to enact further appropriate obligations for such businesses.
3. Who can become a DPO and how do I integrate him in my business?
Under the GDPR serving as a DPO does not require any special degree or certified qualification. However a candidate has to possess the necessary level of expert knowledge regarding data protection law and practices. They must also have a basic technical understanding of IT security in accordance with the data processing operations carried out and the protection required for the personal data processed by the controller or the processor in question (the “Supervised Entity”).
Thus, the potential DPO’s expertise will have to be aligned with the specific requirements and challenges posed by data processing activities of the Supervised Entity. The potential or already appointed DPO can gather the required expertise via seminars or other professional training. The Supervised Entity will have to provide the DPO with such educational possibilities in order to initially get him or her up to speed and subsequently keep his or her expert knowledge up to date.
It is not required by the GDPR that the DPO carries out his or her data protection duties full-time. Provided that the workload posed by the Supervised Entity allows it, he or she may rather carry out their duties as DPO alongside their usual function within the Supervised Entity.
In such cases, his or her other role and responsibilities may not, however, create a conflict of interest. In order to prevent such tensions, for instance in Germany DPOs may not be part of the management level of the Supervised Entity nor may they be tasked with major data processing operations or IT systems administration. It also should be borne in mind that the DPO is supposed to act as an internal but independent supervisory entity and must not be obstructed by any other interests he or she might pursue in any other capacity.
Speaking of independence, DPOs have to be in a position to perform their duties and tasks in a sovereign manner. On the one hand this means that DPOs are free from directives from the Supervised Entity when carrying out their duties; they must also not be dismissed or penalised for performing those duties. This is intended to ensure that DPOs are not being intimidated in fulfilling their role and potentially coming to “undesirable” conclusions.
Regarding their organisational implementation, DPOs must be able to directly report into the highest management level of the Supervised Entity. The Supervised Entity must further ensure that the DPO is involved in and aware of all data protection issues. It shall further support the DPO in performing his or her tasks by providing the resources necessary to carry out these tasks as well as access to personal data and processing operations.
4. What is a DPO obliged to do and how can I (further) benefit from him or her?
First and foremost, the DPO must monitor the compliance of the Supervised Entity with applicable data protection law and advise the Supervised Entity as well as its employees on their data protective obligations, inter alia by conducting seminars, drafting appropriate policies or memos, monitoring and evaluating the hardware and software utilised for data processing operations, or carrying out preliminary evaluations of envisaged data processing operations.
Furthermore, the DPO acts as a point of contact for data subjects, both inside and outside the Supervised Entity, as well as the administrative supervisory authority in relation to the processing of personal data or the enforcement of data subject rights.
Nowadays, in particular data processing “heavy” businesses like online advertising companies experience more and more public scrutiny and scepticism. Data breaches or generally unlawful or poor handling of personal data can significantly damage the reputation of a company. Beyond that, lawful, safeguarded and efficient handling of personal data can serve as a flagship and business enabler.
As experiences in Germany have shown, having a designated, as well as well-versed and committed DPO with a good and healthy relationship with the management of the Supervised Entity can greatly contribute to achieving legal compliance and thus be highly beneficial to the business. It is also a good way to establish considerate and friendly relationships with the administrative supervisory authorities, which in the case of the UK would be the Information Commissioner’s Office..
Especially in large companies or groups of companies, maintaining an overview of all data processing operations can be a daunting task. A full-time and well-versed DPO can greatly simplify coordinating and safeguarding a company’s handling of personal data. In groups of companies the GDPR allows a single DPO to be appointed for several or all entities of the group. In order to properly fulfil his or her duties as DPO for all group members monitored by him, he or she can coordinate with auxiliary personnel and delegate tasks and responsibilities.
5. Your data protection lawyer as your (external) DPO
Under the GDPR the DPO will not need to be a staff member but can instead be appointed externally under a service contract. In Germany, data processing entities make wide use of external DPOs. Especially medium-sized companies may not have the capacities or simply the need to appoint a full-time DPO. Moreover none of the available employees may possess the required expertise in order to fulfil the job. DPOs providing external monitoring services are usually well trained and experienced and can be hired to the extent needed. Additionally, the respective entity does not have to worry about providing training possibilities to an internal DPO or potential conflicts of interest.
In Germany it has become common practice to appoint external lawyers as retained DPOs, who advise the respective entity on data protection issues in the first place. This not only makes sure that the DPO possesses the required expertise pertaining to data protection law, but also by being more involved in the business and administrative processes of the respective client enables the lawyer to get a broader and deeper understanding of the respective business in order to subsequently provide a more tailored service as a legal consultant as well as a DPO.
Against this background, several big as well as smaller but specialised law firms in Germany have decided to provide one-stop solutions and not only consult on data protection law but rather additionally offer services as external DPOs.