Do I need a DPO?

Under GDPR, the Data Protection Officer (DPO) can be thought of as the champion of data subject rights - the person upholding the privacy rights of the end users of your application.? The GDPR makes it very clear what a DPO must do:?

?? Inform the company and its staff what their duties are under GDPR and related regulations.

?? Monitor their compliance with GDPR, including assigning responsibilities and ensuring staff are appropriately trained

?? Provide advice relating to DPIA and ensuring the company complies with it.

?? Cooperate with the supervising data protection authority.

But what does that mean in practice? Let’s look at a few examples of where a DPO can help you.

Why a DPO is important

Assessing whether your providers are compliant: you need to make sure all your providers and contractors are compliant with GDPR. Your DPO can play a key role here, helping you determine what are the requirements and advising you on things like Data Processing Agreements.

Responding to data subject rights requests: GDPR provides a number of rights to data subjects. One of the most important things a DPO can do is help you respond to requests relating to these rights. Two of them can be extremely challenging for any company: the right of access and the right to be forgotten. In both cases, you need to be 100% certain the person contacting you is the real user. In the right to be forgotten, you need to assess whether there is some reason why you can’t delete the person’s data. This is tricky in the digital health domain because often there are strict requirements to store data for medical purposes.

Maintaining your GDPR documentation: there are a number of key documents relating to GDPR. Some of these are mandatory (e.g. privacy policy or records of processing activities) and some are only needed in some cases (e.g. DPIA). In all cases, your DPO can help make sure these are kept up to date.

When do I need a DPO?

So, now you know what a DPO does. However, what is less clear is exactly when you need to appoint a DPO in the first place. The only definite case is public bodies like hospitals, which always need a DPO. However, GDPR lists two other cases where a DPO is required:

• The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
• The core activities of the controller or the processor consist of processing on a large scale special categories of data.

Digital health companies are always processing health data (one of those “special categories of data”).

So, the question becomes: what does it mean on a large scale? And are there other times I need to appoint a DPO?

Let’s look at some concrete examples.

1?? Your app collects health data from thousands of users: if your app collects the health data of a large number of users, this will count as large-scale processing. A good benchmark is 10,000+ users. However, in some countries, this number may be lower.

2?? B2B application: many digital health companies sell backend services to other businesses. For instance, APIs to conduct hearing tests, or eye exams. Often, you will find that your customers ask you to appoint a DPO.

3?? Conducting clinical trials or external research: in almost every case, you need a DPO if you are conducting clinical trials. Likewise, many external research bodies will ask you to appoint a DPO. E.g. if you are working on developing machine learning models with a university.

Who can be a DPO?

The GDPR says a DPO needs “expert knowledge of data protection law and practices and the ability to fulfill” the tasks listed above. They should also be as independent as possible to avoid any perceived conflicts of interest. Typically, that means they should report directly to the board/CEO, but not have any executive role themselves. However, in small companies, that may not always be feasible.

Interestingly, the DPO doesn’t have to be an employee—you can use an external consultant or lawyer as your DPO.

Do I need it?

We often help digital health companies to decide if they need a DPO. Of course, every case is unique and needs careful analysis. However, we have the following advice:

1?? Germany is easily the biggest health market in the EU. It also has among the strictest privacy rules of any country. Unless you are a tiny company, you will need an independent DPO to enter this market.

2?? For many people, there is a clear link between needing a DPIA and appointing a DPO. Indeed, most DPIA templates require your DPO to sign off that they are happy with the risk assessment and controls. Thus, a great part of digital health companies are likely to need a DPO.

3?? DPOs are invaluable if you want to use the data you collect for research or clinical studies. Most research organizations carrying out such research on your behalf will insist that you have one.

For many companies, appointing a DPO is both a daunting and expensive requirement. How can you find someone with the necessary expertise and experience who is able to prove they are independent??That's why we created our DPO as a Service.

Let me know in the comments below your thoughts about this topic. And make sure to?share?this article if you have found it useful.

Jovan Stevovic - CEO of Chino.io

#compliance?#gdpr?#dataprivacy?#startup?#dpo