Under the EU General Data Protection Regulation (GDPR) many data controllers and data processors will be required to appoint a Data Protection Officer (DPO) with formal responsibility for ensuring data protection compliance within the business. DPO’s can be either employees or consultants but must be given special protections including sufficient resources, access to personnel and operations as well as significant independence in performance of roles and job security.
Dealing with large data sets? You probably need to appoint a DPO
Researchers dealing with large data sets will generally need to appoint a DPO. You must appoint if you are a public authority or if your core activities involve:
  • regular and systematic monitoring of individuals on a large scale;
  • processing of special/sensitive personal data such as health data or data on criminal convictions and offences on a large scale; or
Decision needs to be made based on the scale of the data processing and the type of data being processing. For example freelance independent qualitative researchers are unlikely to need a DPO as the volume of data and number of data subjects processed is likely to be relatively small. On the other hand panel providers, opinion pollsters or audience measurement researchers will need to appoint in light of the type and scale of the data collection.
Outside the EU? GDPR DPO requirements may still apply to you
As the GDPR has extra territorial effect you may be required to appoint a DPO, even if you are based outside of the EU. Also remember that Member States may adopt more stringent requirements so you should check for additional requirements set out in national laws.
Uncertain? Be careful and document reasons if you decide against appointment
If you decide not to appoint a DPO then document your internal analysis as evidence for the regulator showing that you have taken all relevant factors taken into account. Failure to appoint a DPO where required can lead to fines of up to €10,000,000 or 2% of the businesses worldwide turnover, depending on which amount is higher. Decide whether to appoint:
  • Decide if you need to appoint a trained DPO and document analysis,
  • If you do decide to appoint someone on a voluntary basis then decide whether you want to call them a DPO. If you give them the title voluntarily you must still comply with all the other DPO requirements
Pre appointment:
  • Determine whether to appoint as an employee or outsource
  • Analyse the required skills and expertise and start recruiting
  • If using an external DPO then draft an appropriate contract
  • Structure your business or organisation so that the DPO can work autonomously, report to the highest management level and have adequate resources
  • Analyse any potential conflicts of interest
Post appointment:
  • Publish contact details of the DPO
  • Provide details of the DPO to the DPA
  • Ensure that on an ongoing basis the DPO has sufficient resources
Michelle_Goddard Dr Michelle Goddard, Director of Policy & Communication, EFAMRO

RELATED ARTICLESMORE FROM AUTHOR