1) Whether to appoint a DPO. The EU General Data Protection Regulation (GDPR) mandates that an organization must appoint a data protection officer (DPO) under three conditions: it is a public authority, it engages in systematic monitoring of people, or it processes sensitive personal data on a large scale. Some multinationals are reading this requirement as narrowly as possible in order to avoid needed to establish this overhead, and documenting their rationale in internal memos. Others who do not believe they are strictly required to appoint a DPO are still planning to do so in order to establish centralized and positive relations with regulators. If companies face moderate or elevated regulatory, litigation, or contractual risk vis-à-vis the GDPR and Europe is an important source of future revenues, they should seriously consider appointing a DPO.
2) Where in the world to base a DPO. Placing the DPO in the EU member state of a company’s “main establishment” under the GDPR best positions the DPO for success. The DPO will be able to have a closer relationship with the regulator, speaking in the same language, and understanding that member state’s particular interpretation of the GDPR. For multinationals with European operations centralized in the UK, Switzerland, or Norway, for example, the advantages of a main establishment are not possible because these countries are outside the EU or soon will be. As a result, some multinationals with high exposure to the GDPR are considering restructuring their operations from these locations to a member state such as Germany, France, or the Netherlands. But the vast majority of companies in this situation calculate that doing so is far more expensive than appropriately managing relationships with multiple regulators and providing the DPO more resources across major member states to do so. Several American multinationals with data processing and related decision-making centralized in the U.S. are placing the DPO at their American headquarters to have maximum influence. Multinationals should place their DPO where their data-processing operations are centralized, regardless of Brexit or other main-establishment considerations
3) Where a DPO should sit within an organization. Data protection has historically been a legal function in Europe. Because of this historical momentum, and because legal knowledge will be a critical success factor for DPOs, many companies headquartered in Europe are placing the DPO in the legal department. American multinationals, however, which have a more diverse approach toward placing their chief privacy officers, are considering functions with more of an independent mission such as internal audit, enterprise risk management, and ethics and compliance. If companies place their DPO in the legal department, they should establish a separate EMEA privacy counsel to enable the DPO to be independent. If companies place their DPO in internal audit or other independent function, the DPO should have appropriate legal knowledge.
4) Whether to make the German DPO the GDPR DPO. Because of Germany’s pre-existing requirements to appoint a DPO, many multinationals already employ one there. Companies with German headquarters are often elevating the role of their German-based DPO to be their GDPR DPO. For others, however, the decision is not as easy. Often, the German DPO is either only knowledgeable in German data protection law or forms a stricter interpretation of the GDPR than counterparts in other member states. For these reasons, many multinationals who have decided to appoint a DPO are establishing one separate from their German DPO and are having the German DPO report to the new GDPR DPO. Unless Germany is a company’s GDPR main establishment, or the German DPO is exceptionally qualified, a different individual should be selected as the GDPR DPO.
5) Whether to use an outsourced DPO. Most multinationals that have decided to appoint a GDPR DPO are only considering the role as a full-time employee. That said, the GDPR allows companies to assign the DPO responsibility to a contracted person or firm. This can be an attractive option for companies that have a limited exposure to GDPR, and it has been a common approach toward meeting the German DPO requirement. Companies that are struggling finding a business-minded DPO with all of the location, language, and skill requirements are supplementing their full-time DPO employee with a contractor who supplements the missing gaps. Companies that have limited GDPR exposure or have not settled on a long-term privacy organization strategy should consider an outsourced DPO option, but the most successful long-term strategy will likely be an employee appointment.
6) Whether to make the CPO the DPO. American multinationals with an established chief privacy officer (CPO) have considered adding the DPO responsibility to their privacy leader to avoid overlapping responsibilities and duplicative headcount. Others have decided against this approach, seeing their CPO as an advocate for the business relative to the EU data protection authorities (DPAs), and their DPO as effectively an agent of the DPAs. Large companies with high exposure to the GDPR should separate the CPO and DPO functions to help both be most successful with their complementary roles, but a combined role could be successful with less GDPR exposure if the privacy program is mature and its CPO/DPO is sufficiently independent.
One estimate last year suggested that the GDPR would generate demand for 28,000 DPOs in Europe and America, and 75,000 worldwide.
7) How the DPO should relate to the CPO if they are separate roles. The GDPR requires that the DPO report to the senior management of the European operations. This will often diverge from the reporting relationship of the CPO, particularly of companies headquartered outside Europe. Multinationals in this situation are adopting various models centered on a dotted-line reporting relationship between an EU-based DPO and a non-EU-based CPO. Because of their complementary and potentially overlapping roles, the DPO should have a dotted-line reporting relationship to the CPO.
8) Whether to have multiple DPOs per line of business. Large multinationals sometimes field data privacy teams of more than 20 or even 50 people. Some teams are large enough to justify privacy leaders of individual business units. As the GDPR begins to shape their privacy organization of the future, some multinationals with large privacy teams – particularly those headquartered in Europe – are considering assigning the ‘DPO’ title to a second tier of privacy leaders under their global DPO. Most, however, are avoiding this approach because of the legal effects of the DPO title. Unless a company concludes its business units are large and diverse enough requiring their own DPOs, they should start with appointing a single DPO, giving other privacy leaders a “CPO,” “privacy officer,” or equivalent title.
9) How to resource the DPO for success. The EMEA privacy counsel role for many multinationals is a one-person show. The DPO responsibilities laid out in the GDPR, however, merit a re-evaluation of this role to determine if executing against them will rather require a program office with supporting staff and outside professional services surge support. Companies reaching this conclusion are currently making the business case for expanded headcount in 2018. Companies setting up a DPO role should conduct a formal resource assessment to determine their appropriate one-time and ongoing staff, contractor, and outside counsel needs for optimal DPO success.
10) Whether becoming a DPO is a good career move. After more than a decade of being a terminal career position, the American CPO role – particularly in the technology sector – has opened up to be a platform to other roles such as head of Ethics and Compliance, General Counsel, head of Enterprise Risk Management, and Chief Data Officer. This is because some CPOs have concerted their efforts to align the agenda of their offices to the business strategy and demonstrate an important contribution to the company’s revenue bottom line. The DPO role – which is designed to be independent of the business strategy – poses a greater risk to individuals of becoming their career cul de sac, casting them as obstacles to business objectives. The visibility of the position, however, can provide people in more junior positions an attractive promotion. DPO candidates should carefully weigh their career objectives before accepting this role, particularly in sectors that have been traditionally less regulated than, for example, financial services.
One estimate last year suggested that the GDPR would generate demand for 28,000 DPOs in Europe and America, and 75,000 worldwide. Such projections will only come true if many companies employing more than 250 people weigh the risk of non-compliance and conclude they need a DPO. Companies appear to be moving cautiously and deliberately on this question.