Companies that transfer personal data from the European Union (“EU”) to the United States should be working toward their compliance with the EU’s General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) which will go into effect May 2018. Oh, but how silly, that’s, like, over a year away! Why should you care? If you transfer personal data from the EU to the US there’s a lot to know about the GDPR and it takes time. I’m going to focus on the Data Protection Officer (“DPO”) requirement today.
Organizations that process personal data related to EU nationals may be either a “controller” or “processor,” or both. Let’s say you are a background screening company and you’ve been hired to conduct a background investigation or check on an individual who lives, or previously lived and worked, in the EU. You’ll very likely need to transfer data to the United States from the EU and the bottom line is that whenever an organization transfers personal data related to EU nationals to the United States, you need to consider the GDPR in order to ensure compliance. You also need to consider whether you have a legitimate cross-border onward mechanism, but that’s for another blog posting.
Let’s talk about the DPO. Article 37(1) of the GDPR requires the designation of a DPO by a controller or processor (i) where the processing is carried out by a public authority or body; (ii) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (iii) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data (as defined in Article 9) and (or) personal data relating to criminal convictions and offenses (as described in Article 10).
Special categories of data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and information related to a person’s sex life or sexual orientation.
The DPO can be an internal employee or can be hired as an outside consultant, if you will. The role and tasks of the DPO are described in Articles 38 and 39 of the GDPR.
And, in case you are wondering the cost of non-compliance? It’s steep. A violation of the obligation of a controller or processor related to the designation of a DPO can subject a company to administrative fines of up to 10 million Euros or up to 2% of the “total worldwide annual turnover of the preceding financial year.” (Article 83(4)(a)).
For recent guidelines from the Article 29 Data Protection Working Party on the role of the DPO, click here.
So, if you find your company in this situation and are doing a Google search of GDPR at this time, the privacy team here at AGG can help. Just shoot me an email at firstname.lastname@example.org.