What Is a Data Protection Officer and Do You Need One?

When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO.

The short answer is - maybe.

In the following few paragraphs we will dive into the details about data protection officers and will give you an idea of whether you need one.

You will learn:

• What is a data protection officer
• Does your business need a DPO
• How various laws, including GDPR and CCPA, handle the DPO questions
• Do small businesses need a DPO
• Who can be a DPO
• What is the DPO’s position in an organization, and
• What are the DPO’s tasks
  

What is a Data Protection Officer (DPO)?

Data Protection Officer is the person that handles data protection matters in a company. 

The DPO is not just a random employee - it is a person that has been designated to do the tasks that a DPO needs to do. 

DPO is different from a legal representative in a country. Some data protection laws, such as GDPR and Thailand PDPA, require some foreign businesses to appoint legal representatives in the EU or Thailand to serve as contact points with the national authorities or data subjects.

The DPO and the legal representative could be the same person, but not necessarily. It is important to note that the two have different competencies and do different jobs.

Do I need a DPO?

Some companies need to appoint a DPO, but not all. 

You may or may not need to appoint one. That depends on two things:

• Whether the applicable law requires you to appoint one
• Whether you meet the legal thresholds and requirements that trigger the duty to appoint a DPO.

This means that you need to determine what data protection laws are applicable to you, and then determine whether these laws require you to designate a DPO.

We will explain the legal requirements through five laws: the GDPR of the EU, CCPA of California, LGPD of Brazil, Canada PIPEDA, Thailand PDPA, and South Africa POPIA.

Each of these laws applies to your business if either you or your users are from the country, state, or region where the law applies. So, if you are a Canadian business with customers from the EU and the US, the PIPEDA and GDPR apply to you. The CCPA applies as well if you meet the applicability thresholds.

Once you know what laws apply to you, it is time to determine whether these laws require you to appoint a DPO.

No two laws are the same, but oftentimes their provisions overlap. The DPO provisions of several laws worldwide are such an example. 

The GDPR introduced DPOs to the world, and the countries that followed the path paved by the EU introduced DPOs in their own countries as well.

EU GDPR

For most businesses, a DPO is not mandatory under the GDPR.

Only the companies that meet the following criteria must designate a DPO:

• Where the processing is carried out by public authorities (excluding courts in their judicial capacity). This includes only public authorities.
• Where the core activities of an organization involving processing require regular and systematic large-scale monitoring of persons. This includes advertising companies that process users’ behavior like Google and Facebook. Companies that regularly process geolocation, such as Strava, also fall under the scope of this requirement. Website analytics companies, no matter how big or small may also meet this requirement.
• Where the core activities of an organization consist of large-scale processing of special categories of data or data related to criminal convictions and offenses. This includes hospitals that process the vast amount of patients’ health data or banks that process customers’ financial data.

Only if you meet these requirements must you appoint a DPO. In all other cases, having a DPO is not obligatory, although it is a good practice. See some common problems GDPR DPOs face.

Data Protection Laws of the US States

The CCPA does not require a DPO in any company.

It requires companies to have a person designated for responding to consumer requests, but that’s different from having a DPO.

Utah, Virginia, Connecticut, and Colorado have all passed data protection laws, but none of them mentions a DPO.

Brazil LGPD

When it was first introduced, the Brazil LGPD required all businesses to appoint a DPO. However, it has been changed with a Resolution by ANPD, which excluded micro-enterprises, startups, small businesses, and non-profits from the obligation to designate a DPO. All they need is to have channels for receiving data subject requests. 

However, large enterprises still need to designate a DPO.

Canada PIPEDA

PIPEDA relies on ten principles. The first one of them - accountability, requires businesses to appoint a person responsible to ensure PIPEDA compliance.

The law doesn’t go further in requirements, but it makes clear to companies that meeting the accountability principle means having someone take care of data protection seriously.

Thailand PDPA

The Thai PDPA explicitly requires the appointment of a DPO for:

• Government bodies
• Companies with activities that require regular monitoring of large amounts of personal data
• Companies with core activities include the collection, use, or disclosure of sensitive personal data.

This law is similar in requirements to the GDPR. It also emphasizes the necessity for the independence of the DPO.

South Africa POPIA

The POPIA of South Africa requires businesses to appoint an information officer, whose role is very similar to that of the DPO according to other laws. It does not differentiate between companies as it requires them all to have appointed a person to take care of data protection.

Are small businesses required to appoint a DPO?

In general, the legal requirements do not discriminate against business size. All businesses that meet the requirements for appointing a DPO need to do so.

The only exception to this rule comes from the Brazilian LGPD, which excludes small businesses from the duty to appoint a DPO, but underlines that it is a good practice to have one.

The European Data Protection Board in its recommendations on DPOs also recommends appointing a DPO on a voluntary basis as a good business practice.

Who can be a DPO?

Businesses usually have two types of questions about who can be a DPO:

1. Does the DPO have to be an employee of the organization? The answer is no. You can assign a DPO from your employees or you can hire someone from outside to fill that role. In fact, there are many agencies that offer DPO-as-a-Service. Data protection laws do not constrain who can be your DPO. 
2. What are the qualifications requirements for the DPO? Laws do not burden data controllers with requirements regarding the qualifications of DPOs, but controllers are expected to appoint a person who understands the data protection requirements.

Some of the expected qualifications could include:

• Understanding of data processing operations in the company
• Understanding of data protection laws
• Understanding of IT and data security
• Ability to promote data protection in the organization

This is not an exhaustive list. It will be sufficient for some organizations, but not for all. If your company processes personal data on a large scale, it is wise to hire an expert to oversee your processing activities. Such data processing activities involve many risks that should not be left to chance.

What is the position of the DPO?

The Data Protection Officer must be independent in their work. There must be no conflict of interests.

In practice, this means that:

• No one in the organization can instruct the DPO on how to do their tasks
• The DPO must not make decisions on data processing (they can advise, but not make decisions, which excludes the marketing manager from doing DPO work)
• The DPO must not be punished in any way for exercising their duties.

The Data Protection Officer only monitors compliance. They don’t make decisions, but only advise decision-makers on how to comply with the applicable laws.

For example, the marketing manager makes decisions on what third-party tools to use for marketing automation or for advertising. The role of the DPO is to oversee this process and to advise them on whether the chosen tools (data processors) are compliant with the law, whether they collect only the minimum amount of data, and on other data protection issues. They may also recommend compliant tools.

However, the DPO cannot make any decisions. That is why the marketing manager must not be appointed as DPO - there would be a conflict of interest between doing their best in the marketing department and doing their best as a DPO. Sometimes the two are not aligned, so there are some possible conflicts of interest along the way. Learn about the 11 GDPR Marketing Mistakes and How to Fix Them.

What does the DPO need to do?

Having in mind the position of the DPO, their tasks include:

• Identifying processing activities
• Analyzing the activities
• Checking compliance of the processing
• Informing, advising, and issuing recommendations to the data controller.

This is rarely a full-time job, but it is very important. The DPO’s job is to oversee every bit of data processing and ensure that it complies with whatever law applies to such processing. That involves monitoring the personal data from the moment it is collected to the moment it is erased.

Final Thoughts

Appointing a DPO sometimes is a must. In all other situations, it is still a good practice.

Data protection laws, in general, do not burden all companies with DPO requirements. However, it doesn’t mean that you can take data protection lightly. You still need to meet all the legal requirements for compliance. In many cases, having a person dedicated to protecting your users’ data will make things run smoothly.

Want to Know More about DPOs? Take Our Course & Become Certified Today