Can a Data Protection Officer be Outsourced?
Data Protection Officers (DPOs) are a central requirement in numerous data protection and security laws and regulations around the world. Among the most prominent, the European Union’s General Data Protection Regulation (GDPR) requires certain entities subject to its requirements to designate a DPO. The DPO must be designated on the basis of professional qualities and in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks designated to him or her under the law.
Under the GDPR, the controller and processor must ensure that the role of the DPO comports with the following:
- DPO is properly and timely involved with all issues relating to the protection of personal data
- DPO is supported by the controller and processor in performing tasks required under Article 39 of the GDPR through resources necessary to carry out the tasks and access to personal data and processing operations and to maintain expert knowledge
- DPO shall not receive any instructions regarding the exercise of DPO tasks
- DPO shall be responsible for reporting directly to the highest management level of the controller or processor (i.e., the board or similar senior management level of the entity)
- DPO shall be receptive to data subjects’ issues raised via direct contact with the DPO as related to the processing of their personal data and to the exercise of their rights under the GDPR
- DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks in accordance with Union or Member State law
- DPO may fulfill other tasks and duties, as applicable so long as any such other tasks do not result in a conflict of interests
As an initial threshold question, all controllers under the GDPR must determine if a DPO is required for their particular circumstances. Controllers not established in the EU also need to evaluate whether they require a DPO, as the GDPR applies to non-EU controllers and processors who offer goods and services to EU residents or monitor EU residents’ behavior. Specifically, Article 37 of the GDPR requires the “controller,” who determines the “purposes and means of the processing of personal data” and the “processor” working on their behalf to designate a DPO in any case where:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10
Article 39 of GDPR also describes the role of the DPO as being responsible, at a minimum, for carrying out the following tasks:
- Inform and advise the controller or the processor and the employees responsible for carrying out processing of their obligations under GDP and to other Union or Member State data protection provisions
- Monitor compliance with this Regulation, with other Union or Member State data protection provisions and with policies of the controller or processor in relation to the protection of personal data
- Assignment responsibilities, awareness-raising and training of staff involved in processing operations
- Facilitate or carry out audits
- Provide advice regarding data protection impact assessments and monitor performance of same
- Instruct controllers and processors on their obligations under the GDPR
- Receive communications from data subjects regarding their rights and processing of their data
- Cooperate and consult with supervisory authorities, including but not limited to on issues relating to processing
- Perform all tasks with due regard to the risk associated with processing operations, considering the nature, scope, or context and purposes of processing.
Outsourcing a Data Protection Officer
Given the breadth of requirements and responsibilities, it is of utmost importance that DPOs have the demanded skills, knowledge and expertise in data protection laws, regulations, and real-world experience in carrying out related tasks. It is no surprise that companies of all sizes may face difficulties in fulfilling these roles internally or hiring for specific positions dedicated to the role and responsibilities with individuals who possess the essential job skills and experience to fill such roles. This is particularly true given the required proficiency in data privacy and security risk assessment and best practices, knowledge and understanding of various data protection laws, confidentiality, risk mitigation, independent leadership, and board management, among others.
This challenge extends beyond the GDPR as other privacy laws require the appointment of similar positions. Within the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires HIPAA-covered entities to designate a Privacy Officer and Security Officer, who are each responsible for overseeing the development, implementation, and management of privacy and security policies and procedures as required under HIPAA. As the privacy and data security landscape evolves and more comprehensive data privacy laws are enacted, the need for a dedicated DPO position is expected to grow. Vitally, many privacy and data security laws, including GDPR and HIPAA, enable covered entities to outsource the role and responsibilities of the DPO via service contract agreements.
The Kendall PC data protection and privacy team offers outsourced privacy officer services, providing skilled professional leadership to head your organization’s data governance activity and create a defined vision for your data governance programs and systems.
Kendall PC’s outsourced privacy officer solution can provide short and long-term data protection officer assistance. We help companies of all sizes in a variety of industries build effective privacy compliance controls that mitigate risks and protect business interests.
Learn About the Data Protection and Privacy Services at Kendall PC
At Kendall PC, our data protection and privacy lawyers help companies of all sizes handle every aspect of data protection and privacy. Whether your business needs help dealing with a security incident, data breach, investigation, response, notification, or remedial measure, our team can help. We offer tactical insights on a variety of compliance and transaction-based strategies.
To learn more about Kendall PC’s data protection and privacy services, contact us today online or at (484) 414-4093. We serve small, midsized, and emerging companies throughout the United States and across the globe.