How do you know if you should appoint a Data Protection Officer (DPO)?
Many organisations are unsure about whether they need to appoint a Data Protection Officer (DPO). This comes up as a question in almost every single piece of General Data Protection Regulation – GDPR work that we are involved in.
Let’s take a look at the reasons to appoint at DPO – or the reasons not to appoint a DPO. And then you can make an informed decision. It’s all part of your compliance and GDPR accountability.
Before we look at what a Data Protection Officer does it’s worth mentioning two scenarios that we come across regularly in relation to this topic when we provide GDPR consultancy.
Firstly, the person responsible for information compliance/security in the business has jumped straight in. They have thrown together a few policies and appointed themselves as the DPO for the business. This creates its own set of issues and problems……
Or secondly, the person responsible for information compliance/security in the business has carried out some research and realised that appointing a DPO isn’t straightforward. And now they want to know if the business really needs to appoint a Data Protection Officer.
Whether you choose to formally appoint a DPO or not, GDPR compliance (and by association Information Security) is an important area of your business and needs to be addressed correctly.
Why are we talking about this? What’s changed in the new GDPR regulation around appointing Data Protection Officers?
The General Data Protection Regulation (GDPR) introduced a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
What exactly does the GDPR regulation say about Data Protection Officers?
The regulation gives three clear pieces of guidance. It states that you will need to formally appoint a DPO if:
- Your organisation is a public authority or body (except for courts acting in their judicial capacity);
- The core activities of your business require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
We can look at each of these in detail. Obviously whether you are a public body or not should be an easy one to understand, but ‘large scale processing’ and ‘special category’ data?
What are core activities when processing data?
This is about the primary business activities of your organisation. If you need to process personal data to achieve your key objectives, this is a core activity. This is different to processing personal data for other secondary purposes, which may be something you do all the time (e.g. payroll or HR information). But which is not part of carrying out your primary objectives.
What is large scale, regular and systematic monitoring when processing data in relation to GDPR?
In relation to data subjects this includes all forms of tracking and profiling, both online and offline. This might be for targeted behavioural advertising or for other reasons. It isn’t a ‘one off’ process – it is ‘systematic’ – taking into account the duration or permanence of the processing activity – and ‘regular’ – taking in account the number of data subjects and volume of personal data involved.
What is large scale processing of special categories of data?
For large scale see above. And now we are talking about personal data which the GDPR defines as being more sensitive, and therefore needs more protection. Your reasons for processing this type of information must be clearly identified but that is another conversation. The categories which are covered by this are those seen to create more of a risk to a person’s fundamental rights and freedoms – perhaps by discrimination:
- Ethnic origin
- Trade union membership
- Biometrics for ID purposes
- Sex life
- Sexual orientation
Even when these conditions do not apply to your organisation we would recommend at the very least that you nominate a specific person as being responsible for ‘Information Compliance’. You need to ensure they have the correct skill set and are fully supported to be able to perform the function.
What does the DPO role involve?
A Data Protection Officer has a very specific role within an organisation. They are employed to ensure that the organisation is compliant with the GDPR and that they prioritise the safety and integrity of data held by the organisation and the privacy and rights of the data subjects. For this reason they need to remain impartial and be allowed to represent the data subject without impunity – they need the knowledge, support and authority to carry out the job effectively.
The Data Protection Officer will (for example):
- Inform and advise on all aspects of data protection
- Monitor compliance
- Work with the supervisory authorities as the main point of contact
- Respond to requests from data subjects
As always, there are plenty of misconceptions and misunderstandings. The one that comes up repeatedly is that the Data Protection Officer role cannot be done internally – this is nonsense. As long as the person has the correct knowledge and the seniority and authority to work independently and effectively then there is no reason why the DPO cannot be a member of staff.
Guidance from the ICO is simple “A DPO can be an existing employee or externally appointed….” as long as they are “independent, an expert in data protection, adequately resourced, and report to the highest management level.” Essentially the points discussed in this post need to be addressed.
However, many smaller businesses may not have the capacity or level of need to justify a full-time position for data protection. In these cases it’s worthwhile looking at outsourcing the function in the same way they would look at outsourcing Human Resources, payroll etc’.
What do you need to do now about appointing a Data Protection Officer?
- Consider whether you should appoint a DPO on a mandatory or voluntary basis.
- Consider the DPO role and the work you will have to carry out if you appoint a DPO.
- If you decide not to appoint a DPO, what alternative arrangements are you going to make to ensure that a suitably senior and qualified person can look after this important area of compliance?
- Once you have made the decisions it is important to document the decisions and the reasons for the outcome?
- As with all data protection compliance, put a procedure in place to review your thinking at least annually.
If you need any further help or advice on this or any other aspect of Data Protection or Information Security please get in touch. We offer a full range of services from full GDPR gap analysis and GDPR project management to help with individual GDPR policies and procedures.