Q: I am looking to expand my business into Europe. I have a Data Protection Officer (DPO) based in our headquarters in the USA, but do I need to appoint another DPO in Europe? And if so, can that person also be my DPO in the UK?
The answer to your question will depend on what your organisation is like.
First, as you are expanding internationally, you will need to stay up to date with the requirements in all the countries in which you operate. Most countries with data protection laws require at least some organisations to either appoint someone as a DPO or to be the accountable person for data protection across the organisation. This may only apply to certain types of organisations and the requirements of the role can vary by country. You will need to consider whether your current DPO meets the requirements in the EU and UK. You will also need to consider how your DPO will stay up to date with the requirements in all the countries in which you operate, especially where they may be published in a language that the DPO does not know.
Second, you will need to think about how your organisation is structured. The main EU and UK data protection laws both allow one person to be appointed as DPO for a whole group. However that person needs to have expertise in both applicable data protection law and the kinds of processing your organisation carries out. They also need to be able to report to the most senior management layer of the organisation. If your organisation has one head office and offers products and services based on similar kinds of processing activities everywhere it operates, it may make sense to have one DPO. However if your organisation is more complex, it may make sense to have more than one.
Third, you need to think about the work required. In the EU and the UK, the supervisory authorities expect that the DPO will be accessible to them. That means the authority can use their own language and that it will be possible to liaise with the DPO within normal working hours. They recommend appointing a DPO in the EU to ensure they are accessible, however this requirement can also be fulfilled in other ways. For example, a global DPO might appoint someone local to support them. If accessibility is an issue for the supervisory authority, it will also be an issue for your local team.
In many organisations, international expansion does not require head office functions to be replicated in every location. It is quite common for organisations to enter a new country with a simple set up like sales, fulfilment and perhaps some local HR or finance support. Some businesses may not need any local employees or offices at all. In this case, it might not be possible to identify someone suitable to provide all the support the DPO needs from the local team. If there is no ‘establishment’ in the UK or EU, you will need to appoint a UK and/or EU Representative to be the local point of contact for the supervisory authorities.
If you decide not to appoint a DPO in the EU and/or UK, you might decide to appoint a data protection consultancy such as Gemserv to support the DPO and a Privacy Champion within the local business unit to help the organisation implement data protection policies and monitor compliance.
