A data protection officer standing over a screen with a pad lock on it - GDPR
PHOTO: Shutterstock

Shane Edmonds, CTO of etouches, was never unclear about whether he needed to have a Data Protection Officer (DPO) in place to satisfy the EU’s General Data Protection Regulation (GDPR), which is going into effect later this year. It was a no-brainer from his perspective. Half of etouches’ customers are international and 25 percent are based in Europe.  Furthermore, as an events and meetings platform, etouches is all about processing and analyzing customer data. “We service enterprise clients that have over 5,000 users so there was little doubt in our mind that we needed to do this,” said Edmonds.

But not all companies have Edmonds’ confidence they are making the right decision about whether they need a DPO. The section about DPOs is a vaguely written component in what is a complex and multi-faceted regulation.

What Is A Data Protection Officer?

The role is a formal one mandated by the GDPR — although not all companies automatically need to have one in place. But if they do, this person is to serve as an independent advocate for the proper treatment of the customer's information. A DPO is a relatively unusual role that can be best likened to that of an internal regulator or auditor, according to Robin Bloor, Chief Strategy Officer at Algebraix. A DPO may protect the company from violating European regulations but its primary responsibility is to ensure that the company has and operates systems that enable GDPR to be implemented. “The DPO’s responsibility is to ensure that such systems are built, and that people are employed to run them, particularly to respond to customer complaints and queries,” he said.

Because this is a formal role complete with a title -- and because the position requires a good deal of knowledge about the law itself as well as technological processes -- a DPO's salary is fairly high. In the US, according to data by Glassdoor, compensation can range from $105,000 to $114,000. Complicating matters, though, is the fact that oftentimes a company assigns the role of DPO to someone who already has existing responsibilities, such as the chief privacy officer or chief security officer for example.

Related Article: What the GDPR Will Mean for Your Bottom Line

Who Needs To Have A DPO?

More to the point is the question "which company needs a DPO?" To be sure, the regulation spells this out — but the language itself is wide open to interpretation. Also, regulatory had earlier issued guidance on the DPO with instructions that changed when a later guidance was released. Thus, when the experts weigh in there is a wide range of answers to the question of who needs a DPO. There are some circumstances where DPOs are mandatory — if you are a public body or authority for instance, according to Bart Willemsen, research director at Gartner.  But other language in the regulation is open to interpretation, he said. “For instance, the regulation says if your core activities consist of processing data on a large scale then an [DPO] appointment is mandatory.” But then the question becomes, "how to define large scale?” 

Willemsen points out that “large scale” in that earlier draft of the regulation was defined as an organization employing 250 or more people or processing data pertaining to 5,000 or more individuals in any consecutive 12-month period. “Is that up for interpretation? Honestly, ultimately the line in the sand lies where legal counsel of such organizations is prepared to defend the interpretation,” he said.

According to Willemsen, the International Association of Privacy Professionals has estimated in 2016 that over 75,000 DPOs would be necessary — 28,000 of which are new appointments in the EU alone. “Currently, we see that only a little over half of organizations has appointed someone, though in 59 percent of cases the hierarchy of the appointment is not optimal” that is, someone has been recruited from IT or security to take on this role as well. His best guess? The DPO requirement would apply to about half of companies worldwide who do business in the Union.

Related Article: 9 Ways to Jumpstart Your GDPR Compliance Program

The ‘I Am A Small Company’ Trap

It is a common assumption that just because you are a small company that the DPO requirement doesn’t apply to you, said Todd Wright, Global Product Marketing for SAS Data Management solutions. This is incorrect, he cautions, “I think there’s a misunderstanding in the market right now that if you are a smaller company you don’t need to have a data protection officer.” One reason for this erroneous belief is that earlier guidance that was later replaced. 

“The real factor here is not how many people work at your company — it’s how you process personal data of residents that live in the EU. I could own a two-person company but if we manage 50 million customer records of EU residents — we are on the hook for a DPO. On the other hand a company with 5,000 employees could sell nothing but tractor equipment and sell it right to the dealerships. There is no personal data. This company would not need a DPO,” Wright said. 

Data Analytics as a Primary Function

Jeff Sanchez, a managing director at Protiviti, interprets the DPO requirement to apply only to companies that are either doing data mining or data analytics as their primary function — that is, companies that are deriving revenue from their analytics of individuals. This is why he believes most companies will not need a DPO. But there can be some surprising cases in which a company does need a DPO, he points out. 

One example that comes to mind is a small services company that earns the majority of its revenue selling advertising against its user base and uses analytics in order to be able to better push advertising to those subjects. “In this case I would say they probably did need a DPO because their revenue source was based on doing analytics of their user base to determine which advertisements would be the most suitable.” But a hospital, which clearly has a lot of sensitive data about customers, would probably not need a DPO as its core activity is not about processing this data. Only when the core activity is the regular and systematic monitoring of data subjects on a large scale, then a DPO is necessary," Sanchez said.

Related Article: 5 Experts Share Advice on Preparing for GDPR

The Risk Of Being Wrong

Some companies may choose to follow Willemsen’s advise on this question of appointing a DPO. “I don’t think it’s a question of ‘do I have to have a DPO?’ he said, “Rather, I maintain that even if you don’t have to, best practice dictates that you appoint someone — if you don’t ‘have to’ you do have a bit more leeway as to how you position the role.”

But experts caution that this approach should be taken at your own peril. “Do you go the conservative route and designate a DPO, not knowing if that concedes to the data regulation authorities that you process a ‘large’ amount of personally identifiable information and puts you under additional scrutiny? Or do you push the edge, not designate a DPO and then have potentially greater liability in the event of a breach?" said Steve Padgett of Actian’s Global CIO.