The EU General Data Protection Regulation, or GDPR, requires U.S. companies within its jurisdiction to implement a number of measures. One of them is the appointment of a data protection officer.
Under GDPR Article 37, controllers and processors that handle personal data of EU citizens must designate a data protection officer if either of two conditions apply: the entity's core processing activities, by virtue of their nature, scope, and purposes, "require regular and systematic monitoring of data subjects on a large scale"; or the entity processes, on a large scale, special categories of data or data relating to criminal convictions and offences. Each member state may supplement this list with its own, but we'll focus only on the GDPR requirements.
The Article 29 Working Party guidelines on data protection officers (DPO) clarify Article 37, and seem to indicate that a significant portion of businesses are likely to be required to appoint a DPO. Let's analyze the requirements.
Activities conducted on a large scale are especially targeted by GDPR Article 37. According to the guidelines, whether an operation is conducted on a large scale depends on factors such as the number of data subjects concerned -- the number or percentage of the relevant population; the volume or range of data; and the duration, permanence and geographical extent of the processing.
Online businesses, data analyses or applications, which rely extensively on the collection of data for activities such as the management of shopping carts, are likely to be affected. According to the example provided in the guidelines, the only entities affected are likely to be small businesses operated by a single person.
Regular and systematic monitoring
Another key element is regular and systematic data collection. According to the guidelines, regular means ongoing or occurring at particular intervals for a particular period; recurring or repeated at fixed times; or constantly or periodically taking place. Systematic means occurring according to a system; being prearranged, organized or methodical; taking place as part of the general plan for data collection; or carried out as part of a strategy.
The guidelines specify that all forms of tracking and profiling on the internet, including for behavioral advertising or collection of information generated by connected devices, requires the designation of a data protection officer.
Most online businesses are likely to conduct regular and systematic monitoring of users of their applications. The collection of a variety of data is critical to create the interaction necessary for the visitor to use the site, and for the service provider to respond to the user's needs. These activities are typical of the operations required to understand the needs of potential purchasers and improve and enhance interaction with visitors.
The Article 29 guidelines define a core activity as "the key operations to achieve the entity's objectives." It also includes "all activities where the processing of data forms an inextricable part of the controller or processor's activity." The guidelines cite the processing of data by a hospital as a core activity as an example because it is essential to the operations of the hospital, while payroll processing is not deemed to be a core activity at most companies.
When visitors' activities online are monitored to improve product design or enhance services, whether these activities constitute a core activity may depend on the purpose of the data. For example, a limited collection of data to identify the region from which visitors originate to determine the language of the visitor would not meet the threshold, while the collection of shopping cart information would, as it is essential to the operation of the service.
Should a data protection officer be appointed?
Until more practical definitions or examples are provided, it is likely that, in each company, at least some aspects of data collection might meet the Article 37 criteria, raising the question of if the appointment of a data protection officer is necessary.
Keep in mind that, according to the guidelines, the data protection officer -- whether mandatory or voluntary -- once appointed, is designated for all the processing operations carried out by the controller or the processor, not just those activities that meet the Article 37 definition. Thus, the decision has important consequences.
Further, when uncertainty arises, and a business determines that it does not need to appoint a data protection officer, the company is expected to document its conclusions and the reasons for its determination. This is part of its accountability obligations. It needs to present its analysis in connection with due diligence for a client or a regulator.
Thus, in all cases, appointing a data protection officer is a significant decision with significant consequences.
Learn more about GDPR's right to be forgotten
Find out why GDPR's breach notification rule complicates compliance
Discover why data tracking and encryption are critical for GDPR