GDPR Says Companies Must Have a Data Privacy Officer. Who Should That Be?

​Employers in the U.S. that must comply with the European Union (EU) General Data Protection Regulation (GDPR), which takes effect May 25, are struggling with the requirement to appoint a data protection officer. They also face grappling with the GDPR's 72-hour notification requirement upon discovery of a qualifying breach.

Data Protection Officer

The requirement to hire or appoint a data protection officer applies if a business is engaged in large-scale data processing, but there is no real guidance on what that means, according to Philip Yannella, an attorney with Ballard Spahr in Philadelphia.

If a business decides it will hire a data protection officer, it needs to decide if:

• The officer will work internally or externally.
  
• The company will hire a full-time officer or use someone on staff.
  
• The business will appoint an officer in Europe or the United States.
  

According to an Association of Corporate Counsel (ACC) Foundation report, The State of Cybersecurity Report: An In-House Perspective 2018, released in May, most (62 percent) of the surveyed 617 in-house lawyers at more than 412 companies in 33 countries are using current staff to function as data protection officers. Fourteen percent of survey respondents didn't know how the company was addressing the GDPR requirement to hire a data protection officer. Eight percent are hiring a full-time data privacy officer, while 5 percent are hiring an outside privacy officer, and 5 percent are using an independent company.

[SHRM members-only toolkit: Introduction to the Global Human Resources Discipline]

A data protection officer can't be fired because of the decisions he or she makes in that role, Yannella said. That spooks some U.S. companies, which are used to employment at will, he noted.

If a data protection officer is someone within an organization, he or she should be an expert on GDPR and data privacy. Yannella said the person most likely to have the requisite expertise is a chief privacy officer.

However, a data protection officer must act independently of the company. Consequently, it's tricky for an employee to be a chief privacy officer, who is constantly making decisions on behalf of the company, and a data protection officer, he observed. While the employer could not fire the chief privacy officer because of what he or she decides as a data protection officer, it could fire him or her for subpar performance in other job responsibilities.

Hiring a data protection officer internally in Europe has its advantages. Someone in Europe is more likely to have a greater familiarity with EU privacy law, he said. In addition, it's easier for someone in Europe to liaise with privacy regulators, he noted.

Breach Notification

The GDPR will require that notifications of data breaches are made within 72 hours of discovery. This requirement is much quicker than under U.S. state laws, said Amar Sarwal, ACC's chief legal officer and senior vice president of advocacy and legal services.

States typically require breach notification generally without undue delay or in a reasonable time—30 days is the quickest time period of any state, Yannella observed. Florida has the 30-day requirement.

When asked in the ACC report if respondent companies had determined how they would meet the 72-hour notification requirement, 37 percent said no, while only 34 percent said yes. Large companies were more likely to know how to respond to this requirement than smaller ones.

Yannella said companies that are technically covered by GDPR but don't have many contacts in Europe are struggling the most and aren't sure why they have to comply, particularly when the law is so broad and its penalties are so onerous.

ACC survey respondents said that the primary point of contact for a breach was the:

• Chief information officer (18 percent).
  
• IT department (17 percent).
  
• General counsel/chief legal officer (17 percent).
  
• Chief information security officer (13 percent).
  
• President/chief executive officer (10 percent).
  
• Chief privacy officer (4 percent).
  
• Chief risk officer (3 percent).
  
• Vice president (3 percent).
  

One in 10 respondents said that the company did not have a single point of contact, and 5 percent didn't know who that person was.

When asked whether they had cybersecurity insurance coverage, only 56 percent of respondents said they did. Yannella said this response surprised him, as it was only slightly higher than when the survey was conducted two years ago. He cautioned that it's risky to not be insured.