As organizations that handle the data of Europeans settle into the third year of enforcement of the EU’s General Data Protection Regulation, some are struggling to define and understand the role of a data protection officer as required under the regulation – including whether the CISO should take on the extra role of DPO.
Under GDPR, companies must have a DPO if they collect, store, process or share sensitive personal data or extensive volumes of personal data.
A joint report by the International Association of Privacy Professionals and Ernst & Young, published last year, revealed inconsistencies in how companies are implementing the DPO role, including whether the CISO also serves as DPO.
When Is DPO Required?
Article 37(1) of GDPR requires the designation of a DPO in three specific cases:
- Where the personal data processing is carried out by a public authority or body;
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
“Core activities” refers to the key operations necessary to achieve an organization’s goals.
For example, the core activity of a hospital is to provide healthcare. But a hospital also needs to process health data, such as patients’ health records. Therefore, processing personal data should be considered a core activity, which means hospitals that handle substantial amounts of Europeans’ data must designate DPOs.