I’m Darine Fayed, (Head of Legal @Mailjet, attorney practicing for more than 14 years) and I write from a personal viewpoint of an in-house lawyer who, along with the rest of EU and international companies, is under the pressure of getting our company ready for GDPR before May 2018. New to GDPR and wondering if it affects you? (Psst – it probably does) Head here to our GDPR resource hub.
In getting ready for GDPR (General Data Protection Regulation), and putting in place the measures to make Mailjet 100% compliant, one question I had to ask was: are we required to nominate a DPO?
For background, a Data Protection Officer (DPO) is an individual – internal or external to the organization – that is involved in all issues which relate to the protection of personal data. Their responsibilities include such things as advising the company of their data protection obligations, monitoring compliance with the rules in place, cooperate with the data authorities, act as the contact point for data protection questions.
While the concept of a DPO was not exactly a new one, the GDPR has now made mandatory its appointment for certain companies. GDPR states that there are 3 cases where the designation of a DPO is mandatory:
- The data processing is carried out by a public authority or body.
- The core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- The core activities consist of data processing on a large scale of special categories of data or data relating to criminal convictions and offenses.
OK, it’s nice enough to list out these specific 3 cases. But let’s be honest, it’s a bit ambiguous. Being an email service provider (if you didn’t know, Mailjet is a private company that sends millions of emails for clients all over the world) I was pretty sure we didn’t fall into the first or last case. Not the first case because we are not a public entity. Not the last case because we do not process any “special” data. But what about the second one? It wasn’t exactly clear. Large scale data processing? Regular and systematic monitoring? What was the exact definition of these terms? As a side note, and fortunately, the Data Protection Working Party on GDPR released guidelines on DPOs that helped answer these questions. But not to my luck, these guidelines came out after the fact.
Today these guidelines give various examples of large scale processing, that now clarifies the terminologies. Examples they offer include; processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system, processing of personal data for behavioral advertising by a search engine.
It’s a good point to know, not all companies are required to nominate a DPO (whether internal or external to the company). For all good measures though, and since we do process data and personal data on a daily basis (personal data includes names, addresses, emails, etc.), some more thought was required.
I invited an attorney (recommended by our own CTO) specialized in personal data matters (data processing and data protection rights & CNIL declarations and controls) to the office to have a chat on what types of assistance he could provide to us. After over an hour of discussion with him, I realized one thing: the new GDPR regulation is so new, that no one is an expert. We were all in the same boat trying to figure out at the same time what GDPR really means and how we could implement the specific provisions. We were all on the same learning curve.
So after analysis of his proposal, evaluation of the costs involved (not a small chunk of change!), and after discussing internally in our company with our CEO and CTO, I decided against the hiring of an outside DPO. The time and money involved to learn our data systems and processes in place did not pan out.
Of course, if you do not have an in house legal counsel or compliance officer in your organization, you may need to call upon an outside external expert to take your company on the right path towards GDPR compliance.
Yes, I already was pushing through as Head of Legal of our company with all the myriad of responsibilities that go along in that respect. I had to now add the task of DPO and GDPR compliance to that list! But since I can never turn down an interesting opportunity… I accepted the exciting challenge! And took on the designation as – Darine Fayed, DPO. It made the most sense, since I was already dealing with the legal aspects of data privacy on a day to day basis. I was entering into data protection and EU Model agreements regularly, acquiring knowledge cloud processor requirements and rights of recipients daily.
Now to tackle being GDPR compliant and as I do best: setting an ETA way ahead of schedule! End of year is just around the corner!
Are you on a GDPR compliance journey? Have you too taken on the challenge of DPO, tell the Mailjet team about it on Twitter.
This post was first published on the Mailjet Medium account.