With only 6 months to go until the EU General Data Protection Regulation (GDPR) takes effect, both Jersey and Guernsey are working hard on implementing local data protection laws which meet GDPR requirements. Guernsey has recently published their draft legislation and Jersey’s is expected shortly.
One of the key requirements of GDPR and the new Jersey and Guernsey data protection laws will be that in certain situations, a Data Protection Officer (DPO) must be appointed.
DPOs will be expected to play a prominent role in assisting their firms to comply with the new data protection provisions.
As a result, organisations which are subject to the provisions, are hugely interested in identifying and attracting individuals with appropriate data protection experience to come and work for them. The International Association of Privacy Professionals (IAPP) has estimated that at least 28,000 DPOs will be required across the EU alone, so if you believe you have the necessary skills to be a DPO or think that data protection may be a smart career move, you are likely to be in great demand.
Will financial services businesses need to appoint a DPO?
The answer to this question is “probably”.
The GDPR sets out certain circumstances where the appointment of a DPO is mandatory. The situation which is most likely to be relevant to financial firms which process personal data is “where the core activities of the data controller or data processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale”.
Well, that’s a bit of a mouthful! Let me try and explain what this means.
“Core activities” are those operations carried out by the firm that are necessary to achieve its objectives. From a financial services perspective, this may include for example, processing and monitoring personal data held for the investors of a collective investment fund, for clients of a private wealth business or for the individuals connected to a trust or foundation.
“Regular and systematic monitoring” is likely to include the ongoing profiling and scoring of potential or actual customers for risk assessment purposes, including the detection of money-laundering. So, this is likely to apply to all financial services firms.
Whether the regular and systematic monitoring takes place on a “large scale” is perhaps less easy to determine, and consideration should be given to the number of data subjects and the volume of personal data being processed, however it is likely to include the processing of customer personal data by a financial services firm, which is a significant part of its business.
So, in summary, data controllers or data processors which are financial services firms will most likely have to appoint a DPO. Even in situations where it is not mandatory, it is good practice and of assurance to customers to know that a suitable person has been appointed by the firm to assist it in complying with its data protection responsibilities.
What does a DPO need to do?
The DPO will be the first port of call on all matters data protection.
As you might expect, there are a few similarities between the role of a DPO and a registered compliance officer. A DPO must:
- Inform and advise the firm and its employees of their responsibilities and generally encourage a culture of data protection awareness and compliance across the firm;
- Monitor the firm’s compliance with data protection laws and the firm’s own policies and procedures;
- Provide advice and assist in the carrying out of Data Protection Impact Assessments (DPIAs). DPIAs are assessments which must be carried out where processing activities are likely to result in a high risk to data subjects;
- Be the contact point and co-operate with the data protection authority;
DPOs should also follow a risk-based approach in carrying out their duties, prioritising and focusing their efforts on higher data protection risks.
The DPO is not personally accountable for compliance with data protection rules. This lies with the firm itself as data controller/processor.
Does the DPO have to be an employee?
A difference from the role of registered compliance officer is that the DPO does not need to be an employee of the firm. An external appointment may be made under a service contract, which may be attractive to smaller businesses. However, the person or organisation appointed would still need to have the necessary expertise and resources, and please remember that the firm itself as data controller, remains responsible and accountable for compliance with the requirements.
What do I need to be a DPO?
The person appointed as DPO should have the necessary knowledge of relevant data protection laws so that they can carry out their duties. They will also need to have a good understanding of the business sector the firm is operating in, its organisational structure and the data processing operations which are carried out. Where data processing activity is particularly complex, a higher level of expertise would be required.
This raises the question whether the DPO should also be an IT or cyber security expert. This is difficult to answer. You will be aware by now that the DPO must have a good understanding of data protection as well as the firm’s data processing operations. They should also have a good understanding of the firm’s IT systems, its data security infrastructure and an awareness of new and evolving threats to the security of the firm’s data. Therefore, at a minimum, the DPO should be able to call upon expert (and independent) support where needed.
Independence and seniority
DPOs must be able to act in an independent manner and have sufficient standing in the firm so that their views and advice are taken seriously. DPOs cannot be disadvantaged, disciplined or dismissed for doing their job even when it involves providing an unpopular opinion or objection.
Whilst DPOs may undertake other tasks and duties, they must not result in a conflict of interests. For example, the DPO should not also be making decisions on how personal data is to be processed. For the same reason, it would not be advisable for a head of department such as the Chief Operating Officer, Head of IT or HR to be the DPO.
It may be suitable for the DPO to be a senior member of the compliance, legal or risk functions, however, it must be treated as an additional and distinct responsibility requiring adequate time and resources, not to be merged into existing workloads.
What support should I receive?
Senior management support of the DPO and their activities is essential. The DPO should have a direct reporting line to the board or senior management and be a regular participant at senior management meetings. Board agendas should include a regular update on data protection matters from the DPO.
Active support of the DPO by senior management also includes being provided with sufficient time and resources to carry out the role, in relation to the level and complexity of data processing which is carried out. Training opportunities must be provided so that the DPO can stay up to date with data protection developments and increase their expertise.
The GDPR also states that the DPO must be properly involved in a timely manner with all issues and decision making which relate to the protection of personal data. This applies to the conducting of DPIAs, the design of new data processing activities as well as the notification of breaches.
The skills and attributes which a successful DPO needs are significant. Excellent subject matter expertise, organisational and communication skills are pre-requisites. DPOs must also command respect at all levels of seniority in the firm but be prepared to provide unpopular advice or feedback where necessary. For those however, who are seeking a challenging role in a high profile, fast moving environment, the role of DPO may just be what you are looking for!