Does your Financial Services Firm Need a Data Protection Officer?

The General Data Protection Regulation (GDPR) is an EU law with the objective of making privacy laws fit the needs of the 21st century. GDPR significantly impacts any organization that processes EU citizens’ data – even if the business isn’t located in the EU. Data protection breaches are regularly making headlines and privacy has taken center-stage, ramifications for financial services organizations like banks and investment advisory firms are far-reaching; up to 4% of annual global turnover.

The finance industry is accustomed to strict regulations and oversight, but with the implementation of the GDPR, financial services organizations are required to tighten their policies and procedures around the usage and storage of personal data. In this blog, we clarify whether you need to panic and appoint a DPO right now? Is it based on staff size or if you’re a processor and not a controller?

The concept of appointing a Data Protection Officer (DPO) is not new, it has been best-practice and mandatory in some countries. However, the GDPR has made the appointment of a Data Protection Officer mandatory for many organizations, particularly within financial services.

What does a Data Protection Officer do?

Section 4 of the General Data Protection Regulation (GDPR) states that a Data Protection Officer is a lynchpin and plays a key role in ensuring compliance with the GDPR. The Data Protection Officer is not necessarily accountable for the organization’s GDPR Compliance. They are the first point of contact for data protection queries, working directly with the C-suite, and act as the liaison between the organization and the supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK.

The Data Protection Officer needs to be the internal authority on data guidance, an expert on all things GDPR. The DPO must be independent, to avoid any conflict of interest, they cannot have a dual role as a DPO and in their organization.

Who is required to appoint a DPO?

Under the GDPR (Article 37), appointing a DPO is mandatory in the following scenarios whether you are a controller or a processor:

  • The processing is undertaken by a public authority
  • If you are processing large amounts of personal data or special categories of data, whether you are a controller or a processor (financial services organizations are likely to be caught here)
  • A controller or processor processing data on a large scale, particularly, sensitive data (Article 9) or criminal convictions/ offenses (Article 10)

A DPO is not required in the following scenarios:

  • personal information is not processed by your organization
  • personal data is processed but on a small scale

Even if a DPO is not necessary, Article 29 states that you should keep records of any data breaches and your decision-making process.

Clearly, if you process large amounts of data and the collection, handling, and monitoring of data form a key part of your business activities, then you are required to appoint a DPO, e.g you’re a hospital or a search engine. Other business activities involving large-scale processing of personal data include:

  • Fraud prevention
  • Detection of money laundering
  • Smart meters
  • Running CCTV systems
  • Behavioral advertising
  • Online tracking

A DPO is also required if you process special categories of data including:

  • Health data
  • Political opinions
  • Religious beliefs
  • Ethnic origin

How about if you’re not in the EU?

The GDPR applies to businesses offering goods and services within the EU, and to controllers and processors that process personal data of individuals in the EU, regardless of where the organization is established in the world. If your organization is not established in the EU, you are required to appoint a representative who is established in the EU to achieve GDPR compliance.

What are the tasks and liability of a DPO?

The GDPR requires the DPO to be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The DPO should be involved in all data protection issues as early as possible and their focus should be on monitoring compliance. The DPO’s role and tasks are clarified in article 37(1), to be successful in this role, the DPO must remain independent. The Data Protection Officer must have regard for the scope, nature, content, and purpose of personal data processing whilst considering the risk associated with processing, their duties include:

  • To advise the organization and employees with obligations to comply with the GDPR
  • Assist with monitoring internal compliance
  • Raise awareness of data protection issues
  • Training staff
  • Conducting internal audits
  • Provide advice on, and to monitor, Data Protection Impact Assessments (DPIAs)
  • To cooperate with the supervisory authority
  • Act as a contact point for supervisory authorities and data subjects

The Data Protection Officer is not personally responsible for non-compliance with the GDPR. The liability is with the controller or processor to demonstrate that the processing activities are in line with the GDPR.  If an organization decides against following their DPO’s advice, they should record their decision making to demonstrate accountability.

Although a financial services firm can promote a member of staff to the role of DPO, it’s strongly recommended to appoint a DPO with expertise on the GDPR. Coping with these and other GDPR requirements could be challenging for many organizations, FileOM offers professional outsourced DPO services and can act as your GDPR partner.