By this time next year, it is estimated [1] that more than 75,000 individuals will need to be recruited by companies both in and outside the European Union to comply with new rules on data protection.
The General Data Protection Regulation (GDPR), which comes into effect May 25, 2018, reforms data protection legislation across the 28 member states of the EU. However, its reach is such that the regulation will apply not just to those companies physically present within the EU but also those that trade with the citizens of the EU.
Article 3 of the GDPR extends the scope of the law to the processing of personal data of individuals who are in the EU “by a controller or processor not established” in the EU, where the processing activities are related to either the offering of goods or services, for a fee or otherwise, to such individuals; or the monitoring of their behavior within the EU.
A data controller is defined as the person who determines the purposes and means of the processing of personal data. A data processor is a person who processes personal data on behalf of the controller.
The intention of the GDPR reform is to modernize the law and provide a framework within which organizations processing personal data are accountable to public authorities and individuals for compliance with the GDPR. One of the cornerstones of the new data governance regime is the role played by data protection officers (DPOs).
In the case of processing by private sector organizations, article 37(1) of the GDPR requires the designation of a DPO by either a data controller or a data processor in any case where:
- the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects, on a large scale; or
- the core activities of the controller or the processor consist of processing of special categories of data, on a large scale. These include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health. The processing of such data is only permitted with the explicit consent of the individual or for one of the reasons specified in article 9.
Effect on the contingent workforce program. The first of these cases, and potentially the second, would seem to describe the activities of staffing firms, VMS and MSP providers, and possibly contingent worker program managers or HR teams managing a contingent workforce.
Even when it is not mandatory to appoint a DPO, it may be advisable given the substantial penalties that are set down in the GDPR. Certain infringements may result in administrative fines up to €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual revenue of the preceding financial year, whichever is higher.
The GDPR replaces the Data Protection Directive 95/46/EC. While the former did not require the appointment of a DPO, it has been common practice in several EU member states, notably Germany, for many years.
The DPO. Article 37(5) of the GDPR states that the appointment of a DPO should be on the basis of professional qualities, and in particular, expert knowledge of data protection law. The appointee must also be able to inform and advise the controller or processor, and monitor compliance with the “policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.” They must cooperate with the supervisory authority, act independently without instruction as to how to do their job, and crucially, may not be dismissed or penalized for carrying out their tasks under the GDPR.
The DPO does not have to be legally qualified but must have integrity and sufficient understanding of the business operations, information systems and data security measures in place within the controller’s or processor’s organization. The GDPR stipulates they must report directly to the highest management level of the controller or the processor.
Tall order. Finding 75,000 individuals to fit such a job description is going to be quite a tall order. The International Association of Privacy Professionals came up with this estimate by using statistics from Eurostat of large EU enterprises (defined by the EU as those with more than 250 employees), public authorities and financial industry bodies. They also included 9,000 US companies that regularly transfer personal data from the EU to the US.
This sounds like a windfall for staffing firms, but many of these individuals will be appointed from organizations’ existing IT or legal staff, as knowledge of the operational workings of a business is more difficult to acquire through training than knowledge of the law.
There is also a business opportunity here for law firms, IT services providers and others as it is not a requirement that the DPO be an individual employed by the controller or processor organization.
Wherever the DPO comes from, there are just 12 months to make that appointment.
The first step for an organization is to audit the operations of the business to determine whether it is required to appoint a DPO or whether it would be advisable to make a voluntary appointment. The second step is to identify whether such an appointment could or should be made internally, by hiring, or by engaging an external provider. Third, once an appointment is made, training will be necessary.
In any event, every organization that is within scope of the GDPR should be auditing their data security, the ways and means by which data is processed, and their policies and procedures around data protection to be ready for May 2018.