General Data Protection Regulation has been enforced since 25th May 2018. So if you have still not hired a data protection officer, this guide should help you. It is a complete guide for hiring a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). We’ll go step by step to help you with all the questions regarding a Data Protection Officer.
Data Protection Officer is the professional responsible for the data protection activities and implementation of measures inside the company. They hold the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They directly report to the senior management, managing directors, and CEO of the company.
According to the text, you need a data protection officer if:
What are the basic responsibilities of a Data Protection Officer?
The Data Protection Officer should have the following responsibilities:
This means a data protection officer is a coordinator between the controller/processor and the supervisory authority. They are also responsible to respond to data subjects that is the consumers/customers of the company. Under the GDPR, Data Subjects can request access to their data that is collected and processed.
In line with the responsibilities mentioned above, this section now highlights how the responsibilities mentioned above turn into tasks. The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:
There are no exact qualifications written in the law. But the law does say, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The data protection officer should have at least 30-60 hours of training to understand the law and its requirements. You can get your Data Protection Officer trained at the following places:
Since there is no exact criteria, our suggestion is that adequate training or certification of a certain number of hours should help you. If your data protection officer is a lawyer by profession it would make training easier.
What do we have to do to support the DPO?
You must ensure that:
This shows the importance of the DPO to your organization and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.
As a controller or processor, the following are the best practices for hiring a data protection officer:
In principle, a company can appoint a Data Protection Officer both internally by assigning the role to an employee and externally in the person of a service provider. The decisive criterion should always be the necessary expertise and reliability that a DPO needs in order to be able to properly fulfill the intended tasks. But what distinguishes an internal from an external data protection officer? We would like to explain the differences on the basis of essential dimensions such as competence, liability and dismissal protection. In addition, to enable you to directly compare the costs of an internal and external data protection officer, we use a fictional calculation to show you how your company’s investment in data protection could be structured.
If you assign an Internal Company Data Protection Supervisor (DPO), the managing director hands over the task of DPO to an employee of the company. If an internal employee meets all the necessary requirements, they can be appointed as an internal data protection officer. After the appeal to the internal DPO, the employee is under protection against dismissal and has rights to further claims, such as their own equipment or training. However, if a company data protection officer is appointed, who does not have the required skills, this is treated by law as if no privacy officer would be present in the company.
In contrast to the internal data protection officer, the external DPO is a certified data protection expert who is available to your company as a service provider. The high level of expertise of an external data protection officer guarantees the best protection for your company. With a transparent cost structure, contractually agreed prices and a variable contract period, the external data protection officer takes care of your business quickly and efficiently, thus protecting you from high fines.
First of all, internal and external DPOs can be distinguished with regard to the costs incurred. While for internal data protection officers the company has to pay for education and training, as well as the acquisition of literature from the company, in addition to the regular salary. Your company benefits from the transparent cost structure in the case of an external DPO since all services and costs are contractually defined.
In terms of competence, an internal DPO first has to undergo time-consuming and costly further training measures to gain the specialist knowledge if they are not already specialized in the field. An external DPO, on the other hand, can showcase certified and immediately retrievable expertise from the beginning of the cooperation. In contrast, however, the internal DPO has advantages in terms of training, as the operating procedures are generally already known, while an external DPO must first familiarize themselves with the operational procedures and processes.
If there is a momentous error based on the consultation with the data protection officer, for e.g.misuse of customer data, an internal DPO is liable with the limited employee liability which results in the full liability of the manager. In contrast, an external DPO is liable for its advice and thus minimizes risks for the company.
Already with the order of an operational data protection officer already a possible, later notice should be considered. An internal DPO is subject to special protection against dismissal, which is comparable to the position of the works council. However, the commissioning of the external data protection officer can be terminated on time.
We would like to explain this to you in more detail with a table:
Based on our experience of talking to hundreds of data protection officers, the average cost in Europe for a data protection officer depends on the hourly rate. The data protection officer without a legal background would cost around 100-200€ per hour. If your data protection officer is a lawyer, then they would cost around 300-500€ per hour. There are many data protection officers who work based on the hourly rate in a year or package basis per month. If you are hiring an external data protection officer, keep in mind that if the rate is really low then remember either that they have many clients so you won’t get individual attention or consulting. If they’re a big brand then, probably you’re paying a lot but still getting less attention.
Here’s a sample Appointment Letter for a DPO from ECOMPLY.io
Ms. Sample – Data Protection Officer –
Sample Street 2
The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer – as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR.
Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.
In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR.
Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required.
Representing the management:
Place, Date Signature Managing Director
I approve of my appointment to Data Protection Officer:
Signature Data Protection Officer
If you have any further questions or want to know how we can help your DPO, book a demo with us!
by Hauke Holtkamp
Does GDPR apply to Small business (SMEs)? Will SMEs get fined? Are you scared about a €20 Million fine for your company? There is a solution to this.
This year GDPR is coming that is binding to all companies and organizations handling data of all individuals within the EU. From now on, your company can be held liable for the data it collects and uses. Fines up to €20 Million or 4% of annual turnover can be imposed. This company was fined $250 Million, even before the GDPR was in place. But this can be totally avoided!
Are you ready for GDPR? If yes, read more to see if you have everything in place.
Not ready yet? Follow the steps below to be GDPR ready!
GDPR is a regulation of the Parliament and of the Council which comes into force on May 25th. As a regulation it affects companies and their customers as much as a national law. Decision makers and key people in the organization must now identify what processes of the company are not GDPR compliant and should analyze the kind of resources that will be required to tackle this in time for the GDPR implementation. UK’s ICO provides in-depth information of what the GDPR is and all that you must know regarding it. If you are a small business owner (SMEs) than GDPR affects you as well.
Our GDPR-glossary would help you to understand the various terminologies that is relevant. You must also know where your company stands in relation to the GDPR compliance. You can take this gap assessment to find out!
GDPR requires you to maintain records of processing activities. GDPR does not take SME owners out. You have to do this.
Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so called records of processing activities (RPA), to the competent data protection authority at all times.
The development of the records of processing activities is also a key step because it enables the company to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!
Need help with organizing your data for GDPR compliance?)
If you need help figuring out how you can record processing activities, this tool will help you organize your data.
The individuals whose data your company uses must be informed through a privacy notice detailing in simple terms what kind of data you obtain, in what ways you obtain it, for which purposes you need it and, in case, if you are transferring the data to countries outside the EEG.
Do you need a privacy notice? With this tool you can create a first draft that meets the legal requirements.
Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.
The normal way to justify proceedings is also the most important pillar of data protection: consent! Your company should review how you seek, record, and manage consent.It is important that the consents meet the new GDPR standard, so your company must perhaps review and refresh all consents. SMEs owners have to also do this and all the time.
For example, it is necessary to keep the grammar and content of the consent easy and in an understandable format which can be understood by anyone. UK’s ICO provides a consent guidance guide that is a useful tool in defining consents as per the GDPR.
Your company should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.
You will have a month to comply, rather than the current 30 days.
You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
When your company works with a data processor, it should review the outsourcing contracts of data processing to comply with the GDPR. First, make sure you own those contracts, which is not always the case with free cloud services. At the latest on request of the competent data protection authority, you must be able to present the contracts. After all, these contracts must also be compliant with the GDPR and there is a high probability that they have to be adjusted.
Probably your company has to appoint a DPO to take responsibility for the regulatory compliance.
This DPO will report to the highest position in the firm and has to make sure the company will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.
Another option is a virtual DPO, that can help your company be GDPR compliant. The best part is that it costs much lesser and reduces company man-hours involved by 75%!
GDPR for SMEs might not directly have a DPO requirement but if SMEs process special category of data such as health data. It would good to hire a DPO externally or part-time internally.
Your company has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.
If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risks. Important aspects to grant this security are pseudonymization, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.
Your company must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.
Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the company and to the data subject regarding his privacy.
One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.
Data Protection Authorities in EU countries
This list provides the websites of the Data Protection Authorities in your country. You can find more specific content for your region from the corresponding website.
If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments, and data protection by design.
If you’re a small business (SME) owner, you need help with GDPR and just starting, get this guidebook to start with.
by Aazar Shad