In getting ready for GDPR (General Data Protection Regulation), and putting in place the measures to make Mailjet 100% compliant, one question I had to ask was: are we required to nominate a DPO?
Firstly, what is a DPO?
For background, a Data Protection Officer (DPO) is an individual – internal or external to the organisation – that is involved in all issues which relate to the protection of personal data. Their responsibilities include such things as advising the company of their data protection obligations, monitoring compliance with the rules in place, cooperate with the data authorities, act as the contact point for data protection questions.
So, when do you need a DPO?
While the concept of a DPO was not exactly a new one, the GDPR has now made mandatory its appointment for certain companies. GDPR states that there are three cases where the designation of a DPO is mandatory:
- The data processing is carried out by a public authority or body.
- The core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- The core activities consist of data processing on a large scale of special categories of data or data relating to criminal convictions and offences.
OK, it’s nice enough to list out these specific 3 cases. But let’s be honest, it’s a bit ambiguous. Being an email service provider (if you didn’t know, Mailjet is a private company that sends millions of emails for clients all over the world) I was pretty sure we didn’t fall into the first or last case. Not the first case because we are not a public entity. Not the last case because we do not process any “special” data. But what about the second one? It wasn’t exactly clear. Large-scale data processing? Regular and systematic monitoring? What was the exact definition of these terms? As a side note, and fortunately, the Data Protection Working Party on GDPR released guidelines on DPOs that helped answer these questions. But not to my luck, these guidelines came out after the fact.
Today these guidelines give various examples of large-scale processing, that now clarifies the terminologies. Examples they offer include; processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system, processing of personal data for behavioural advertising by a search engine.
It’s a good point to know, not all companies are required to nominate a DPO (whether internal or external to the company). For all good measures though, and since we do process data and personal data on a daily basis (personal data includes names, addresses, emails, etc.), some more thought was required.
I decided to investigate further…
I invited an attorney (recommended by our own CTO) specialised in personal data matters (data processing and data protection rights & CNIL declarations and controls) to the office to have a chat on what types of assistance he could provide to us. After over an hour of discussion with him, I realised one thing: the new GDPR regulation is so new, that no one is an expert. We were all in the same boat trying to figure out at the same time what GDPR really means and how we could implement the specific provisions. We were all on the same learning curve.
So after analysis of his proposal, evaluation of the costs involved (not a small chunk of change!), and after discussing internally in our company with our CEO and CTO, I decided against the hiring of an outside DPO. The time and money involved to learn our data systems and processes in place did not pan out.
Of course, if you do not have an in-house legal counsel or compliance officer in your organisation, you may need to call upon an outside external expert to take your company on the right path towards GDPR compliance.
A new challenge for yours truly
Yes, I already was pushing through as Head of Legal of our company with all the myriad of responsibilities that go along in that respect. I had to now add the task of DPO and GDPR compliance to that list! But since I can never turn down an interesting opportunity… I accepted the exciting challenge! And took on the designation as – Darine Fayed, DPO. It made the most sense, since I was already dealing with the legal aspects of data privacy on a day to day basis. I was entering into data protection and EU Model agreements regularly, acquiring knowledge cloud processor requirements and rights of recipients daily.
Now to tackle being GDPR compliant and as I do best: setting an ETA way ahead of schedule! End of year is just around the corner!
By Darine Fayed, head of legal at Mailjet
GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/
comments powered by Disqus