Does a US-based company need a Chief Privacy Officer?
What is a Data Protection Officer?
One of the major distinctions between the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) is the definition of a Data Protection Officer, or DPO. GDPR defines the DPO formally and calls out the conditions under which a company must employ one.
CCPA has no such requirements, but it is generally believed that to maintain privacy compliance a company must have a qualified individual monitoring data gathering activities and the storage/transfer of consumer data, as well as responding to consumer inquiries. This individual is sometimes called a privacy officer, or more formally a Chief Privacy Officer (CPO).A US-based company would be subject to GDPR and may need a DPO if it offers good or services in the EU. Activities that could indicate that a company is offering goods or services in the EU can include:
- Retaining a European Representative
- Exhibiting at a trade show or conference in an EU Country
- Advertising in EU-based publication in a local EU language
- Maintaining a website offering goods or services localized in one or more EU languages (gdpr.eu/Recital-23-Applicable-to-processors-not-established-in-the-Union-if-data-subjects-within-the-Union-are-targeted/)
The risk is in a company deciding to engage in one or more of these activities without understanding that by so doing they are subject to GDPR, and could be fined by a European Supervising Authority for non-compliance. Under these circumstances it may be in a growing company’s best interests to retain a DPO in advance of the need.
If a company does not rely on the sale of consumer data for much of its revenue, it might still need to comply with CCPA if it has more than $25 Million in annual revenue, or retains records for more than 50,000 California Consumers, Households or Devices. For rapidly-growing companies, these thresholds can be quickly reached, especially given the power of today’s Customer Relationship Management (CRM) and Marketing Automation tools. Also, at this time the definition of “households and devices” is not exclusive to California under CCPA, and could include the entire nation. This is ambiguous, and will probably be dealt with in a subsequent revision to the law, which might ultimately mean that consumers outside of California could be included. Further, if a company is a potential acquisition target, compliance may be an issue with the acquirer. In any case, it may be best for a company to anticipate the need and retain an individual to see to its privacy compliance.
Hiring a DPO or CPO
Companies are discovering that they cannot simply assign a current employee to the privacy role in most cases. The European GDPR resource website GDPR.eu defines specific requirements (gdpr.eu/data-protection-officer/) for the role, including:
- Over 5 years experience with EU and global privacy laws
- Experience with IT programming and infrastructure
- Experience with IT system audits
Such diverse experience is not common. In one significant study (iapp.org/news/a/study-at-least-28000-dpos-needed-to-meet-gdpr-requirements/) The International Association of Privacy Professionals (IAPP) projected a need for over 28,000 of these highly qualified people. It will not be easy for many companies to recruit someone qualified, especially to fill a role that is not mission-critical to the company.
Outsourcing is a logical alternative for many companies. Retaining an independent Data Protection Officer Consultant is a possible alternative. An emerging practical solution is data protection as a service, a combination of powerful but simple to use online monitoring tools supported by professional privacy experts. This allows many entities to keep daily monitoring tasks in house and have access to privacy professionals for special issues while avoiding the need for high-priced DPO or CPO professionals on staff.
GDPR is now in effect, and several entities have had GDPR fines assessed against them, some companies more than once if they did not do enough to ensure compliance. CCPA goes into effect in July 2020, and the California AG has stated publicly his intention to enforce (reuters.com/article/us-usa-privacy-california/california-ag-says-privacy-law-enforcement-to-be-guided-by-willingness-to-comply-idUSKBN1YE2C4).
A company may feel the need to hire full-time employees to cover the risk, but in this time of uncertainty when many details and definitions have not yet been hammered out in detail, a phased approach using outsourced resources may be the best alternative.
Get the details on the latest 2B Advice PrIME release 7.0. Now with even more features to support automated GDPR and CCPA compliance.How to Appoint a Data Protection Officer (DPO)?
Here is how to appoint a Data Protection Officer (DPO) to comply with the GDPR in the EU or to support US privacy regulations such as CCPA.CCPA Requirements for 2020 for Businesses
5 Amendments clear up ambiguities around the CCPA requirements for 2020 for businesses.