The General Data Protection Regulation (GDPR) is a fairly complicated set of international regulations regarding the privacy of EU citizens, and as an HR professional, you need to ensure that your company is in compliance. Among its many requirements, the GDPR says that any company that engages in large-scale processing of certain categories personal data of EU citizens must hire or appoint an independent data protection officer. Does your company need one?
It turns out that answering that question is difficult for many companies because the GDPR doesn’t offer any real guidance on what it means to process data on a large scale as a core activity. Furthermore, if a company decides to appoint a data protection officer, it’s hard to say whether that person should be hired from within or retained as a consultant and if he or she should reside in the United States or Europe. A third difficulty arises from the stipulation that a company cannot fire its data protection officer for any decisions he or she makes in performing that role, which seems at odds with the at-will employment status most often recognized by U.S. labor laws.
In its Guidelines on Data Protection Officers, the Article 29 Data Protection Working Party has sought to clarify some of these questions, while acknowledging that plenty of questions remain. They say, “Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations. This does not exclude the possibility, however, that over time, a standard practice may develop for identifying in more specific and/or quantitative terms what constitutes ‘large scale’ in respect of certain types of common processing activities.”
By necessity, certain professionals like doctors and lawyers maintain a lot of personal data about their patients and clients. “To effectively represent clients and perform all their duties under the law, lawyers must keep records of some very sensitive personal information, including data related to criminal offenses and convictions,” says Jason Hennessey, marketing consultant of Newsome Melton. This raises a question: Do professionals such as these need to appoint a data privacy officer?
First of all, any company with this question ought to ask a qualified attorney familiar with the GDPR. Secondly, few of these individual professionals are performing data processing or monitoring at a “large-scale” or as a “core activity” of their business, so the rule for needing a data privacy officer would not apply. However, an entire hospital processing patient data may qualify as large-scale processing, as well as an international fast food chain processing real-time geolocation data of its customers.
Unfortunately, the language of the GDPR is quite ambiguous and combined with the fact that it has only been in effect since May 25, companies have very little precedent to guide them. Given the potentially onerous penalties involved with violating the GDPR, companies ought to seek the counsel of a qualified attorney or consulting company.
Does Your Company Have a Data Privacy Officer? You Might Need to get One
Source: HR.com Articles