If you have a presence in Europe, serve European customers, or use a data center in Europe, you need to follow the General Data Protection Regulation (GDPR). You may need a dedicated Data Protection Officer, whose roles include complying with the GDPR, handling data access requests, educating staff, and liaising with regulators. Here’s what else you need to know.
The GDPR is a European Union regulation that took effect from May 25, 2018. It has legal force in all EU member countries. (At the time of writing, the GDPR’s measures also applied in the United Kingdom through its domestic laws.)
Despite being a European law, businesses outside of Europe may have to follow it. That’s because the GDPR applies in any of three scenarios:
- Your organization (or somebody who processes data for you) is established in a European Union country. This could include a subsidiary or local outlet.
- You process data relating to goods or services that are offered to somebody in the EU. This could cover mail order or online services.
- The processing physically takes place in an EU country, for example, at a data center.
Who Needs a Data Protection Officer
If you’re covered by the GDPR, you must have a data protection officer if any of the following apply:
- You carry out regular and systematic processing of personal data as part of your core activity.
- You are a public organization (for example a government department or agency) rather than a business.
- You handle data about criminal convictions or offenses.
- You handle sensitive data. The GDPR defines this as data including "racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation."
There’s nothing to stop you from appointing a data protection officer even if the GDPR doesn’t require it. Doing so could make it easier to comply with the GDPR’s wider measures and may be necessary under some other privacy laws.
The GDPR uses the term "Data Protection Officer" rather than Chief Data Protection Officer or Chief Privacy Officer. It's fine to have multiple staff members working on data privacy matters, but you must designate one person as "data protection officer" for GDPR purposes.
What a Data Protection Officer Does
The GDPR sets out four specific duties that a data protection officer must carry out.
- Tell you and your staff what you need to do to comply with the GDPR when they process personal data.
- Take overall responsibility for your organization’s compliance with the GDPR, including monitoring compliance.
- Carry out data protection impact assessments when your organization plans to process data in a way (or of a type) that creates a high risk of infringing on people’s data rights. Impact assessments list and measure the risks and recommend ways to mitigate them.
- Communicate and cooperate with national data regulators (known as “supervisory authorities”).
The GDPR is a lengthy document with extensive requirements. These are some key things your data protection officer must make sure you do to comply:
- Only process personal data where you have a legal basis such as consent.
- Give and record a specific purpose each time you collect or process personal data. Only use the data for this purpose and only keep it as long as needed to serve this purpose.
- Allow data subjects to exercise their rights, including to access the data you store about them, to correct any errors, to ask you to delete data that’s no longer relevant, and to get a copy of their data in an electronic form that’s easy to transfer to another organization.
- Only transfer data to a non-EU country if that country has a “data adequacy” agreement with the EU or if you impose a contract term on the recipient to say they will protect the data to GDPR standards.
GDPR and Software Development
As with any industry, GDPR covers the way you use and store data about suppliers and customers. However, software development brings specific responsibilities in making sure all your apps or platforms inherently handle data in a compliant way. Your data protection officer will need to push your developers to do the following with your software:
- Follow the principles of privacy by design and default. For example, organize databases to keep a person’s identity separate from their other information so it can't be linked unintentionally or without authorization.
- Use techniques such as data anonymization or data de-identification as standard practice.
- Build in features making it straightforward to correct or delete data and to provide it to the data subject in a portable (transferrable) manner.
- Build in tools to collect and ensure informed and active consent, for example by requiring a user to tick a box or change a slider setting.
- Remember to delete data that's no longer needed after test data generation.
- Restrict access to any database of information gathered through apps.
Appointing a Data Protection Officer
Whoever you appoint as data protection officer must have the skills to carry out the role, most notably having expert knowledge of data protection law.
You can appoint an existing staff member, hire somebody new, or use an outside contractor. It’s fine to share a data protection officer with other organizations such as a sister company or to have a data protection officer who also does other work for you. The key is that no matter what setup you choose, your data protection officer must have the necessary resources, including their time, to fulfill their duties with no conflict of interests.
Your data protection officer must have operational independence. This means you can’t tell them how to do the job and you can’t dismiss them simply for carrying out their duties. You must give them the authority to carry out the role.
How to Choose a Data Protection Officer
As the GDPR is only a few years old, you may want somebody who has experience working on other data privacy matters and risk assessment. Wherever possible, appoint somebody with specific experience with data protection in your industry.
A good data protection officer will also have skills and experience dealing with people and organizations. They must be able to assign and explain responsibilities clearly and develop workable data policies. They’ll also need to deal sensitively with staff and understand your needs and constraints while maintaining their operational independence.
Advice from Data Protection Officers
Now the GDPR has been in effect for a few years, many data protection officers have practical experience with ensuring compliance in the real world. Here are a few key tips they’ve shared.
Adrian Leung of Equifax stresses the importance of having “training and systems in place to identify, monitor, and progress [data access requests] centrally and efficiently.”
Dave Swarthout of Monetate says that “someone who is confident that they are 100 percent prepared, might not have spent enough time on the matter and have a false sense of security.”
The Bottom Line
As more countries and states adopt rigorous privacy laws, having a data protection officer makes business sense, even when it's not a legal requirement. Making sure your business complies with all applicable rules is a specialist, complex task that requires professionalism and expertise. It's also a great signal to customers that take their privacy seriously.