The primary role of the Data Protection Officer or DPO is to manage the organizational data protection program. In the EU, under the GDPR, a DPO is responsible for advising the appointing entity towards compliance with the GDPR and other applicable laws. The Data Protection Officer makes certain that the organization processes the personal data of its staff, customers, providers or data subjects in compliance with the applicable data protection rules. Multinational companies often have more than one DPO, appointing a specific DPO who is familiar with the regional nuances of data protection law and can work directly with the data protection authorities (DPAs) of the region.

For companies operating in the EU, Article 37 of the GDPR sets out three primary scenarios where the appointment of a DPO is mandatory:

Data processing is carried out by a public authority or body, or

The core activities of the controller or the processor consist of processing operations which require the regular and systematic monitoring of data subjects on a large scale, or

The core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

Companies operating strictly in the US are not required to have a DPO, but many find that it is advantageous to appoint one to run their privacy program. The model for the roles and responsibilities of a DPO in the US has been widely modeled after that in the EU.

If your company is not based in the EU, nor has offices there, but does offer products or services to EU residents or monitors the behavior of EU residents and thus processes the data of EU residents, then the regulations of the GDPR are applicable and you need to appoint a DPO. Otherwise you need to at least appoint a representative in the EU, to function as a point of contact for data protection related matters for both data subjects and the supervisory authorities.

In the EU, because it is a mandatory requirement of the GDPR that a company must appoint a DPO, when you have appointed a new internal DPO, or hired an outsourced external DPO, it is important to notify the relevant data protection authority in a timely manner that you have done so. As your appointed external DPO, 2B Advice can do that on your behalf.

If you are operating solely in the US and process no data of EU citizens, you do not need to announce the appointment of a DPO.

In the EU, the GDPR requires that a DPO be independent, have expert knowledge of data protection law and practices, receive adequate training, and report to the highest level of management. Due to that need for independence, as well as a global shortage of qualified trained data protection legal and operational experts for hire, many entities opt to outsource the role of Data Protection Officer to appropriate legal and data protection experts such as 2B Advice.

The DPO must be able to perform his or her duties independently, and not receive any interference regarding the performance or duties. A minimum term of appointment and strict conditions for dismissal must be set out. This ensures independence. For these very reasons it is extremely difficult to dismiss a DPO. A company must have established that the DPO did not meet these strict conditions in order for the DPO to be dismissed. For this reason, some companies find it preferable to have an external or outsourced DPO who can maintain independence, perform DPO duties, and also have flexibility build into the contact to exchange the person if deemed necessary.

The role of DPO is in high demand throughout Europe as well as all around the globe, making the availability of highly qualified data protection law experts a scarce commodity. An external or outsourced Data Protection Officer is provided by a proven data privacy consultancy that specializes in these services such as 2B Advice. Outsourced DPOs meet all the qualifications of an internal DPO, for the fraction of the cost and added flexibility. Due to their experience and knowledge of data protection supervisory authorities, a company can save many months of time in recruiting and onboarding by using an outsourced DPO. In addition, by being external, they have an added ability to maintain independence and yet bring years of experience to your company’s privacy program. Other advantages are that it is easier to make changes if it is necessary to replace the DPO.

The law only specifies that the DPO should have an expert level knowledge of data protection law and the ability to work closely with the data protection supervisory. Speaking multiple languages can provide smoother communication with the authority. 2B Advice provides DPOs who are multi-lingual and experienced in working many supervisory authorities.

Our outsourced DPO Services are divided into a set-up and a maintenance stages in accordance to the lifecycle of data protection compliance. The outsourced DPO ensures that the data protection rules are respected in cooperation with the data protection supervisory authority.

These tasks may include:

• Assessing data protection compliance risks and communicating them to stakeholders
• Giving advice and recommendations to the institution about the interpretation or application of the data protection rules
• Establishing an internal data protection organisation, if needed
• Illustrating processes for data protection management in privacy compliance software, such as 2B Advice PrIME
• Ensuring that controllers and data subjects are informed about their data protection rights, obligations and responsibilities and raise awareness about them
• Creating a register of processing operations within the institution
• Working towards data protection compliance
• Handling queries or complaints on request by the institution, the controller, other person(s)
• Acting as the contact point for the supervisory authority on issues relating to processing
• Raising the privacy awareness of employees and management through training and education
• Advocating for the institution’s data protection concerns before national and European data protection supervisory authorities
• Providing advice where requested as regards the data protection impact assessment and monitoring its performance pursuant to Article 35 of the GDPR

In the EU institutions and bodies, the GDPR Data Protection Regulation mandates that public companies which monitor people or process sensitive data must have a Data Protection Officer (DPO). There is no requirement to have multiple DPO’s. However, because each data protection supervisory authority has their own layers of nuances in applying privacy law, it can be advantageous to dedicate additional data protection coordinators to work with directly with specific DPAs.

Multinational companies who do business in Europe find that it is useful to have a DPO appointed for each country. As such companies often have more than one DPO, appointing a DPO who is familiar with the regional nuances of privacy law and can work directly with the data privacy authorities of the region.

The role of data privacy officer role is of growing interest in the U.S. as well, with the legislation of new privacy acts which differ from the GDPR.

There are no US regulations requiring a DPO to be appointed as there is under the GDPR. However, you will need a dedicated executive in charge of leading your privacy compliance. It’s a big job and as we learn from the GDPR, it is better that it is independent. For example, it is not logical to have the same person leading both security and privacy.

Founded in 2003, 2B Advice has deep experience in the role of DPO. 2B Advice experts serve as external Data Protection Officer for 148 companies, some with over 100 subsidiaries. We have conducted data protection training for over 5,000 participants including 3,000 DPOs.

To learn more about 2B Advice Consulting and outsourced DPO services, schedule a meeting with a sales representative today.

As the Data Protection Officer, your 2B Advice appointed DPO will determine — once provided with proper access to the appointing entity, its management, relevant records, systems and employees — what the appointing entity would need to do to achieve privacy compliance, make the appropriate recommendations, and supervise the implementation of proposed remedial measures.  As we are bound to do this in professional independence, we don’t commit to a specific roadmap but stipulate that we will perform all steps required to make the necessary determinations and issue the appropriate recommendations.  This ensures that we are not simply running down a checklist or list of deliverables but retain responsibility for achieving the promised outcome.

Beyond compliance with EU directives, there can be a great advantage to having one or more outsourced, independent DPOs. It is advantageous to have specialized understanding of regional data protection laws as more states and countries adopt privacy regulations. Such outsourcing of the privacy officer role can boost the organisation’s health by building up protection against potential data breaches, can help create a culture of privacy that serves as a competitive advantage, and be a valuable business partner to enable growth.

The DPO must have the independence and freedom of determination to carry out their management of the data privacy program without interference or influence from others. The reason for this independence lies in the role of the DPO. The DPO must be able to act as an independent point of contact for employees and customers for complaints regarding data processing and also be able to provide advice regarding the level of organisational compliance with data protection laws.

Yes. It must be ensured that the data protection officer is independent in his work. From this, the prevailing opinion is derived that he must also have his own budget to ensure this independence. If he had to get the costs for each travel activity or other measure approved first, independence would not be given.