The Article 29 Data Protection Working Party – also referred to as the W29 – issued its first set of guidance documents in regards to the upcoming European Union data privacy changes, known as the GDPR, at the end of last year.
Most marketers have a shocking lack of awareness about the GDPR, and it is hoped that this new guidance will provide additional details and motivation to begin readiness planning.
The first of the three documents, "Guidelines on data protection officers", unsurprisingly and painstakingly details the conditions under which an organisation will be required to designate a data protection officer.
Additionally, the guidance details the requisite skills needed, discusses the level of support and independence an organisation must provide to a data protection officer, and clarifies the role of such an officer in both data protection activities and compliance with the forthcoming regulations.
Being only 18 pages long, it is a short and easy-to-understand document that should allow you to determine whether your agency or brand needs to review your existing privacy officer roles or introduce new ones.
However, as time is always at a premium, let me attempt to save you some and answer the question for you. Yes – absolutely and with urgency.
Within the GDPR, Article 37 requires the designation of a data protection officer in three specific cases: where processing is carried out by a public authority; where core activities consist of processing operations or require regular and system monitoring of subjects; and where these core activities consist of processing special categories of data at large-scale.
These cases appear to be sufficiently straightforward on the surface but, as the W29 explains, the second case is far broader than may be realised and discusses the definitions and examples of "core, large-scale and systematic monitoring".
Core activities can be considered as the key operations necessary to achieve a data controller and/or processor’s goals – a very broad definition indeed.
As the examples in this guidance demonstrate, although the primary activity of a hospital is to provide healthcare, it is impossible to do so without the processing of health data (eg. patient records), and therefore is considered to be a core activity.
In our world of digital products and services, it will be next to impossible to argue for an exemption. Data has become an inextricable part of operations and it is recognised that appropriate care must be given.
Similarly, with the classification of online identifiers such as cookies and IP addresses as personal data, our industry squarely meets the definition of data processing at large-scale.
While no explicit threshold is set within the GDPR, their definition of "processing a considerable amount of personal data at a regional, national or supranational level which could affect a large number of data subjects and which are likely to result in a high risk" appears squarely aimed at our industries.
Within the guidance, the W29 provides two specific examples that should remove any question: "processing of real-time geolocation data of customers" and "processing of personal data for behavioural advertising by a search engine".
As with large-scale, the GDPR is light on actual definition of frequency in regards to regular and systematic monitoring, but the guidelines clarify "the concept of ‘monitoring the behaviour of data subjects’… clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising".
The guidance from the working group makes it clear that data protection officers will not only be required by law, but will also be a crucial resource in helping brands ensure their organisations are aware, informed and ready.
The need for a data protection officer should not come as a surprise to anyone, however, and the new guidance should serve as a reminder of the importance for brands to avoid the punitive multimillion-euro penalties that will arrive with the introduction of the GDPR in May 2018.
With demand continuing to increase in this field, securing your data protection officer teams and talent now will prove a wise investment indeed, as this is only the first of many sets of guidance expected to be delivered in 2017 and each will provide further details on what will be required to stay on the right side of the law.