Data Protection Officers - To Be or Not to Be?
One of the most hotly debated topics as we look towards the “Brave New World” of GDPR and Data Privacy legislation is the role and responsibilities of the Data Protection Officer (DPO) and whether a hedge fund or private equity firm should or needs to have one. In contemplating this, fund managers have looked first to their legal advisers, then to the regulation texts, and then to clarification from the regulators. As is so often with regulation that stems from “aspirational” notions of the “wouldn’t it be nice” crowd, the regulation has been written to encompass just about everything and everyone, without fully understanding if it is practical to do so - and the side effects.
Most of this debate comes from assumptions being made by participants and experts in the market that have been extrapolated from one context to be conflated with another. They boil down to two opinions:
A staff headcount of less than 100 or 250 means our fund will not need a DPO
The DPO is a role that should (or should not) be conducted by a member of staff/director of the company
Fund managers believe the regulation is ambiguous and therefore the answer is the opinion with which it suits you to agree. Like most financial services regulation when it first comes to be enacted, hedge fund and private equity firms are cherry picking the opinion that suits them best. “We placed our own interpretation on the recommendations” is a stock phrase which has been bandied about for years. Unfortunately, we don’t have the luxury of that approach to the upcoming GDPR legislation and so we need to look for the clues.
In October 2017 the ICO published a list of charges (consultation has now ended) for their services that they will be expecting companies to pay. These are based on turnover, headcount and number of records processed. They are:
Tier 1: Small and medium firms that do not process large volumes of data
Staff headcount below 250; and Turnover below £50M per annum; and Number of records processed under 10,000
Tier 2: Small and medium firms that process large volumes of data
Staff headcount below 250; and Turnover below £50M per annum; and Number of records processed above 10,000
Tier 3: Large businesses
Staff headcount above 250; and Turnover above £50M per annum
Direct marketing top up
Organisations that carry out electronic marketing activities as part of their business.
The proposed amounts are:
Tier 1: annual fee of up to £55 Tier 2: annual fee of up to £80 Tier 3: annual fee of up to £1000 Direct marketing top up fee of £20
These charges give a greater clue for the need for a DPO than any other criteria. 10,000 records of personal data within your company is considered the benchmark for lower fees, so this is probably the clearest indicator of considered values of large scale processing we have seen so far. The regulation makes clear that anyone undertaking large scale processing needs a DPO and there is no headcount stipulation, despite the mistaken 100 and 250 headcount numbers being bandied around the market.
This will mean that all those clinging to the idea that their headcount being under 100 or 250 is a get out clause are going to come unstuck when the ICO comes knocking and wants to see your DPO. 10,000 records is not very much. Many people within hedge fund and private equity funds will have 2-3,000 email addresses of people just in their own files? Even in a smaller hedge fund or private equity firm with only 4 or 5 people, that threshold will be breached. It’s important to remember that email addresses with names on them owned by companies are personal data; for example, my email address - email@example.com - is, although something like firstname.lastname@example.org is not. Just check your inbox to realise the size and scale of the problem.
A much better way to think about whether you should appoint a DPO is to ask yourself ‘how can I gain an advantage from having one?’ Practically, hedge funds and private equity firms should be thinking about how to use DPO’s effectively and hire one, especially if your industry is already regulated for control frameworks. The ICO (regulator in the UK) has been saying for over a year that this person is an important conduit between your business and the regulator. They also will need to be made aware of your intent to do new business, new projects, IT architecture changes (Privacy by design is a requirement for all systems). The DPO is an effective tool to bind your control mechanisms together and they need to be a person who understands the complexities of your business.
Who to pick and how to use them effectively?
There are three clear requirements when considering whom to appoint as your DPO; they need to be qualified, independent and enabled to operate at an effective level. Qualified might seem obvious but their qualifications must include an understanding of your business model and process. So, hiring someone that knows IT software companies if you are an asset manager isn’t appropriate; you need someone who understands the complexities of your business. This should make for an interesting competition for resources.
Enabling them to operate at an effective level means they need access to the power that controls your organisation. That doesn’t necessarily mean being on the board, but they will have to have line of sight to it and their recommendations need to be discussed and monitored at this level.
Independence is the hardest one to determine. Can a junior member of staff really be independent in his decision-making reporting into the higher echelons of a company? This is probably one for the HR professionals to answer but to my mind, I think a junior member of staff will struggle, not least because they are also likely to be given other tasks that will be considered to take precedence; that means a lack of control. So how about a board director? Even worse, as they already have a statutory responsibility to the shareholders, thus that would create a conflict.
Many organisations have decided the appropriate person is legal counsel. This is probably as good a decision as any, as this means that any legal stipulations that need to be abided by will be covered (contracts will be correct, for example). But what about the operational capability? And technology constraints and undertakings? We believe that a function such as DPO should be held by a Non-Executive Director or a function close to it, such as a Chief Control Officer, that can provide input at all levels. The choice for business really comes down to an outsourced DPO (NED like) or some form of officer for control internally. Then make sure that they are free to challenge and to go where needed.