If you are a data-driven European business, you will highly likely require a Data Protection Officer (DPO) as of 25th May 2018. But one year before the GDPR starts to apply, we ask exactly when to appoint a Data Protection Officer?
The answer will primarily depend on the complexity of your data processing operations and on your GDPR compliance strategy. The latter will also determine what you expect from your Data Protection Officer (DPO), and help answer the question: exactly when to appoint a Data Protection Officer?
How complex are your data processing activities?
It is easy to get caught by the GDPR requirement to appoint a Data Protection Officer. According to EU’s top privacy body, it may be enough if you do one of the following: profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.
So as a mobile app provider, your data analytics might be relatively simple but you will require a DPO on 25th May 2018 at the very latest. Therefore, you might still have some time. But be careful: one year is not a long time, if you consider DPO searching, selection, negotiation and, of course, GDPR adaptation.
Will Data Protection Officer adapt your business to GDPR?
If that is the case, you need to hurry. Because 25th May 2018 is not the day when you start taking steps towards GDPR compliance. It is the day when you already need to be in full GDPR compliance. Yes – you might be right that data protection supervisory authority will probably not fine your business the very first day GDPR starts to apply. But that misses the point. If say your mobile app data processing consent does not comply with GDPR requirements in good time before 25th May 2018, you might already be in trouble. You will not be able to contact the same customers as of 25th May 2018 to ask them for a valid GDPR consent!
But you might as well perform an audit of your data processing operations now, take all the steps towards GDPR compliance, and only appoint a Data Protection Officer as of May 2018. You need to make sure that your GDPR audit and adaptation is carried out by data protection and privacy specialists, but they do not need to be the same people that you want to appoint as your DPO. They are likely to be external experts, whereas you might be confident to appoint an internal DPO.