In the most recent episode of Countdown to GDPR, Jonathan Armstrong, a partner at Cordery Compliance in London and myself considered the role of the Data Protection Officer (DPO) in complying with the new regulations which go live on May 25, 2018. You can check out the full conversation here.

The Cordery Compliance FAQs note that DPO must be appointed to deal with data protection compliance where:

  •  The core activities of the data controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or,
  •  The core activities of the data controller or the processor consist of processing on a large scale of special categories of personal data, namely those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and, the processing of genetic and biometric data in order to uniquely identify a person, or data concerning health or sex life and sexual orientation (which can only be processed under certain strict conditions such as where consent has been given), or, data relating to criminal convictions and offences.

The DPO must be suitably qualified and is mandated with a number of tasks, including advising on data- processing, and, must be independent in the performance of their tasks – they will report directly to the highest level of management. Businesses will therefore have to determine whether a DPO must be appointed or not, but, given the significance of privacy compliance today, even if technically-speaking a DPO is not required to be appointed, a business of a particular size that regularly processes data may wish to consider appointing one in any event.

Compliance practitioners will note the similarities with the series of requirements by US Department of Justice (DOJ) for the professionalism, authority, corporate standing and resources made available to a Chief Compliance Officer (CCO). Armstrong this professional requirement has existed in several EU countries such as Germany, Hungary and Austria. While you are not required to have a law degree, it certainly would assist any DPO in interpreting GDPR and any commentary on it from EU member countries. Armstrong also noted that some countries such as Ireland, have come out with specific guidance on the qualifications of a DPO which are “worth a read.” However if the DPO is someone more usually seen as a CCO, there will need to be some technical competence or skills made available to them.

The steps that a DPO should take at this point will also be somewhat familiar to a compliance professional. It all starts with a company assessing its data privacy and data protection risks under GDPR and then move to manage those risks. Not every risk can be covered at this point in time so any DPO must come up with a remediation plan and work towards managing those risks. Armstrong emphasized that GDPR belongs to the business and this means the business unit folks should be a part of this remediation. Obviously, the business folks are going to understand the business implications more than a DPO so they should be consulted.

Armstrong believes one of the key focal points for any DPO will be in data protection related activity. In addition to the technical requirements for data protection there is the need to train employees what to happen if there is a data breach. There now a 72-hour window for reporting data breaches and employees need to be trained to report such breaches up the line, immediately upon discover so training led by or approved by the DPO is critical at this point.

Senior management should certainly be consulted but there may need to be an educational component as well to discuss potential issues which might turn into violations. There are specific data regulation protocols under GDPR which should be considered. Certainly in the United States the new rights created under GDPR: the Right to be Forgotten, “which is the right to have personal data erased “without undue delay”, based on certain grounds, for example where data is no longer necessary in relation to the purposes for which they were collected or otherwise processed”; the Right to Portability, “which is an individual’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”;  and the Right Not to be Profiled, which is “defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person, in particular to analyse or aspects concerning a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

Finally another key right is the “Subject Access Request” (SAR); [which will no doubt sow confusion with US SAR’s (Suspicious Activity Reports). Under GDPR, SARs a company must have a process which have “a process whereby someone can exercise their right to gain access to data held on them, must be answered within one month of receipt of the request, but which may be extended for a maximum of two further months when necessary taking into account the complexity of the request and the number of requests. It must also be highlighted that under the new rules the ability for a business has to ask for a fee for an SAR has been abolished.”

The role of the DPO is critical in complying with GDPR. The time to start is now. For more information, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the site.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018