DPO according to GDPR
The General Data Protection Regulation (GDPR, Regulation (EU) Directive 2016/679) which comes into force on May 25, 2018 will harmonise protection of personal data. Its overriding goal is to return control of personal data to EU citizens and residents while also imposing significant sanctions for non-compliance (up to EUR 20 m, or 4% of total worldwide annual turnover).
GDPR significantly increases the existing data protection requirements by extending the territorial scope, the rights of individuals and the specific obligations of financial institutions. We have previously published a more detailed introduction of the GDPR scope, its major implications and a recommendation for a three-step implementation approach on this platform (see: https://www.insurance-hub.eu/general-data-protection-regulation/).
One of the focal points of the new Regulation concerns the appointment of a Data Protection Officer (DPO). The GDPR clearly stipulates in which cases designation of a data protection officer is mandatory and what their typical responsibilities are, but only gives vague guidance on how they are appropriately positioned within the organisation.
In this article we aim to explain the main responsibilities of the DPO, a role which has been heavily extended in comparison to existing local legislation (such as the German Federal Data Protection Act , Article 4f of German law) and outline some principles of organisational setup. We also discuss the relationship of the DPO with other areas such as Information Security (InfoSec) and discuss pros and cons of allocation within the organisation’s hierarchy. Finally we give our recommendation while taking GDPR requirements and practical experience into account.
The role of the DPO
The DPO role is primarily described in Article 39 of the GDPR. They shall monitor compliance, inform and advise data controllers, data processors and all employees who carry out personal data processing, cooperate with supervisory authorities and act as the single point of contact for data subjects regarding their rights.
In short, they are responsible for monitoring that all requirements of the institution are met. A short overview of main tasks is shown in following figure.
In order to properly meet these responsibilities they will need to be appropriately embedded within a dedicated department or to have suitable supporting roles established within the organisation. The GDPR provides some guidelines on how this organisation needs to be set up in Article 38:
GDPR regarding the position of the data protection officer
Interpreting Article 38 and especially the impact for insurance companies, it becomes clear that the DPO will need support from top management and possibly a direct reporting line in order to avoid or navigate potential conflicts. The conflict between a firm’s digital strategy and the DPO’s GDPR mandate could be an example of this. The DPO’s role in compliance with privacy rights and creating transparency might have a significant impact on IT implementation costs and time, product launching, marketing initiatives, etc. The law also stipulates the independence of the DPO, in particular their freedom to discharge their responsibilities without fear of penalties.
Organisational positioning of the DPO
Because the DPO will be “…involved, properly and in a timely manner, in all issues which relate to the protection of personal data” (Art. 38, 1) they will need to be significantly involved in data management topics (CDO and data governance organisation), information security and influence on IT for all data processing and systems that deal with personal data. The relationship to information security is especially important since the two areas will have an overlap of systems, data and functions which will be visible in policies and monitoring functions. Nevertheless, the DPO and InfoSec mandates are different. While DPO focusses on personal data protection (and thus the rights of individuals), the main focus of InfoSec is the protection of the institution itself by avoiding any critical disturbance in overall IT processing.
Every insurance company will need to answer the question of where to position this new role in the organisation while keeping the needs of both internal relations and cooperation in mind, as well as the overall guidance of organisation setup and embedding as specified by the Regulation.
Our point of view is that both the data controller and the data protection officer as monitoring authorities need to be supported by almost the whole organisation in order to achieve compliance with the GPDR. We see strong overlaps at least at the beginning of the journey with existing data management networks and already established roles and responsibilities.
As an example, BCBS #239 requires the implementation of several data ownership roles as well as stewardship, which could serve as first supporting roles in the new privacy collaboration model.
Most of the institutions we are working with have already started (or some even finished) a pre-study or implementation project. The question of who takes on the DPO role needs to be discussed at top management level while taking the existing organisational setup into account. We recommend that the organisational positioning and collaboration model should be defined early in the implementation phase in order to prevent a lack of guidance and support by the nominated board member, especially during first steps of implementation. We regard this as even more important because several strategic decisions will have to be taken (such as the level of GDPR ambition to reach by the time the directive comes into force in May 2018) that require the backing of senior management.
When assessing the organisational positioning of a DPO/data privacy function, we see the following key success criteria:
- Access to the board, i.e. a direct reporting line, to ensure sufficient attention and commitment
- A distinct function with dedicated resources, as the DPO function needs to execute distinct regular operations
- Same hierarchy level as InfoSec to avoid conflicts
Our recommendation would be to find a home for the DPO within the CRO area with a dedicated department on the third level, but with an additional direct reporting line to a board member. A point of discussion would be where to position the InfoSec area. Information security is (or should be) a well-established function and as it focuses on guidance and monitoring of measures for disturbance-free infrastructure, it is naturally settled in the area of CIO/COO. However—as discussed above—we see the need for close collaboration and interaction and thus recommend establishing regular exchange and alignment on initiatives and issues.
Our recommendation of an allocation of the DPO function to the CRO area is based on the fact that GDPR compliance will need a risk-based approach, in which the institution focuses on main processes, functions and systems that have a high risk of data breaches. For most institutions—where the time to change the organisation and to automate systems, design privacy and default is so short—there will be a need to focus on the main risk areas of data privacy. Once the DPO organisation is finalised and the processes and systems are under control, a less risk-based approach will be suitable and positioning within another C-suite portfolio might be reasonable.
 BDSG: Bundesdatenschutzgesetz (German Federal Data Protection Act)