One of the innovations of the GDPR for corporations, corporate groups and groups of undertakings is the introduction of a so-called group data protection officer. This is regulated in Art. 37 II GDPR which states:
„A group of companies may appoint a joint data protection officer provided that the data protection officer can be easily reached from any location.“
Since the transfer of personal data within a group of companies is part of its everyday operations, a common data protection officer can provide relief by creating consistent data protection rules and concepts and acting as a single point of contact for the entire group. The concept of a group of undertakings is defined in Art. 4 No. 19 GDPR as a group of companies in which there is a ruling company and dependent companies.
As another requirement, the standard mentions easy accessibility of the group data protection officer meaning that all employees, but also the local supervisory authorities and those affected can easily reach him and communicate. Especially within global enterprises that have subsidiaries and branches in many different countries, the different languages can be a significant communication barrier. However, no-one can be expected to speak, in addition to the required data protection qualification, every language of every branch in each country. Here is the recourse to a common language, especially English a possible solution. Additionally, data protection coordinators in each individual company can act as a link between the local regulatory authorities and the group data privacy officer.
However, it is often difficult to find a suitable and qualified person who has both the necessary (international) qualifications and is familiar with the way in which companies operate. Thus, an external group data protection officer can present an adequate solution.
What are the tasks of a group data protection officer?
In principle, the tasks which a group data protection officer must fulfill are based on the same requirements as any other data protection officer, which is standardized in Art. 39 GDPR. Namely:
- to advise and inform the responsible persons regarding the implementation of the GDPR in the group
- to enable compliance with the GDPR and foster a data protection culture within the organization
- to maintain policies and procedures on data protection
- the monitoring of the provisions of the GDPR within the group, which also includes sensitizing employees with regard to the basic data protection requirements and requirements, as well as their training
- the group data protection officer advises on the privacy impact assessment
- support data incident responses and notification procedures for data breaches
- he or she works with the regulators and is their first point of contact
An external group data protection officer usually has experience with various groups of companies and has been involved with various data protection challenges, so that he can quickly adapt a solution for another group.
Two challenges for a group data protection officer
The difference to a data protection officer, who is only responsible for a single company, is the complexity of the (international) data flows of personal data and the organizational structure of the group. For example, it often happens that there is no single contact person in a group who has an overall view of a particular process, which may be relevant when drawing up the list of processing activities.
Another challenge is that although the GDPR is uniform throughout the EU, there are national specifications and differences in the individual member states of the EU that need to be taken into account. For this purpose, consulting professionals with local legal expertise for individual issues may be a possible solution.
Nevertheless, the designation of a group data protection officer can be a considerable relief for the group. Important for this is the development of a suitable data protection organization within the group, the support on the part of the company management and sufficient financial and personnel resources for the group data protection officer. Especially an external data protection officer can be a pragmatic, professional and timely solution, which is often cheaper than setting up your own data protection department within the group.