The EU's Article 29 Working Party has published new Guidelines on the role of Data Protection Officers under the General Data Protection Regulation. Data Protection Officers are seen as a cornerstone of data protection compliance, and many businesses will be subject to a mandatory obligation to appoint a Data Protection Officer.
The General Data Protection Regulation (the "GDPR") was published on 27 April 2016, and enforcement will begin on 25 May 2018. However, in some areas, the precise interpretation of the GDPR remains unclear, and businesses therefore face uncertainty in terms of their compliance obligations. To address this issue, the GDPR is supplemented by guidance issued by the Article 29 Working Party ("WP29"), an advisory body made up of representatives of the national Data Protection Authorities of each EU Member State.
In its first round of guidance since the GDPR was finalised, the WP29 has issued Guidelines on Data Protection Officers (the "Guidelines"). The Guidelines provide businesses with useful information on the appointment and role of Data Protection Officers ("DPOs").
What is a DPO?
A DPO is a person (either an employee or an external consultant) who is given formal responsibility for data protection compliance within a business. Under existing EU data protection law, the approach to DPOs varies from one Member State to the next. In most cases, it is not currently mandatory to appoint a DPO, although there are some EU Member States (e.g., Germany and Sweden) in which the decision to appoint a DPO has practical advantages (e.g., obviating the need to file a registration with the Data Protection Authority). As set out below, the GDPR will introduce significant new obligations which will require many businesses to appoint DPOs. The GDPR will also implement a much more formal framework around the roles and responsibilities of DPOs.
The obligation to appoint a DPO under the GDPR
Article 37(1) of the GDPR states that a DPO must be appointed if:
- the relevant data processing activity is carried out by a public authority or body;
- the core activities of the relevant business involve regular and systematic monitoring of individuals, on a large scale; or
- the core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale.
The Guidelines provide a more detailed explanation of these concepts, enabling businesses to better understand their compliance obligations.
Appointing a DPO
Article 24(1) of the GDPR requires businesses to demonstrate that they are compliant with the requirements of the GDPR. The Guidelines therefore recommend that businesses should keep records of any decision to appoint, or not appoint, a DPO, and any analysis undertaken in connection with that decision.
The Guidelines provide further clarity on the key terms used in Article 37(1) of the GDPR:
- "Public authority or body": Any organisation that is a public authority or a public body must appoint a DPO. However, the GDPR does not define the expression "public authority or body". Rather, the GDPR leaves it to each EU Member State to determine which organisations are public authorities and public bodies. Where a private business performs outsourced public functions on behalf of a public authority or a public body, the WP29 recommends that that business should appoint a DPO, not merely in relation to those outsourced public functions, but also in relation to all of the other data processing activities of that business (including processing activities that are unrelated to the outsourced public functions).
- "Core activities": The meaning of this phrase is critical, because businesses are legally obliged to appoint a DPO if their "core activities" fall within the scope of Article 37(1) of the GDPR (set out above). The Guidelines make it clear that the term "core activities" refers to the key operations necessary to achieve the main objectives of the relevant business. For example:
- The processing of health data by a hospital is an operation that is necessary to achieve the hospital's main objectives, so all hospitals are likely to need to appoint DPOs.
- The processing of personal data in the context of internal IT services or payroll processing (which are ancillary activities, rather than inextricably linked to the main objectives of the relevant business) do not trigger the obligation to appoint a DPO, according to the Guidelines.
- "Large scale": Like "core activities", the phrase "large scale" is important in determining whether a business is required to appoint a DPO under Article 37(1) of the GDPR. The phrase "large scale" is not defined, but the Guidelines note that there are some cases that are clearly large scale (e.g., processing at a regional, national or international level) and some cases that are clearly not large scale (e.g., processing of personal data of an individual patient by a doctor). But most business activities will fall somewhere between these two extremes. The Guidelines recommend that businesses should consider the following factors in determining whether a given processing activity is "large scale" or not:
- the number of individuals affected (either in abstract, or as a percentage of the relevant population);
- the volume of data, and/or the number of categories of data, being processed;
- the duration or permanence of the processing activities; and
- the geographic scope of the processing activities.
- Examples of processing activities that are large-scale include:
- processing of patient data by a hospital in the regular course of business;
- processing of customer data in the regular course of business by an insurance company or a bank;
- processing of personal data for behavioural advertising purposes; and
- processing of data (content, traffic, location) by telephone or internet service providers.
- Examples of processing activities that are not large-scale include:
- processing of patient data by an individual physician; and
- processing of personal data relating to criminal offences by an individual lawyer.
As these examples illustrate, the threshold for appointing a DPO is relatively low.
Article 37(1) of the GDPR applies to businesses that act as controllers and businesses that act as processors (e.g., outsourced service providers). Even where a controller is obliged to appoint a DPO, a processor that carries out processing on behalf of that controller will need to do its own analysis, and will not necessarily have to appoint a DPO (and vice versa). Nevertheless, the Guidelines note that the appointment of a DPO by a processor may be good practice in any event.
- Appointing a DPO voluntarily: A business can choose to voluntarily appoint a DPO even if it is not legally obliged to do so. However, it is important to note that a business that appoints a DPO voluntarily must still comply with the full range of DPO-related compliance obligations, as if that appointment had been mandatory.
- Appointing a non-DPO to a data protection compliance role: Businesses that do not need to appoint a DPO may choose to appoint other staff to perform tasks relating to data protection compliance. Such staff should not be referred to as ‘DPOs' or ‘Data Protection Officers' (even informally) to avoid any risk of confusion and the aforementioned consequences of voluntarily appointing a DPO.
- Appointing a group DPO: A single DPO can be appointed for a corporate group (or several entities within a group) provided that he or she is easily accessible from each business location for which he or she is responsible (i.e., the DPO's contact details must be readily available, and it must be straightforward for individuals and Data Protection Authorities to contact the DPO). This also requires that the communication with the DPO may take place in the language used by the respective Data Protection Authorities and data subjects.
- Appointing DPO team: Depending on the size and structure of a business, it may be appropriate to appoint a team of individuals (a formal DPO and his/her staff) to fulfil the obligations of the DPO. If a business decides to adopt this approach, it will need to clearly set out the roles and responsibilities within that team, and designate a lead contact who is responsible for that team.
- Appointing an external DPO: A business may appoint an external contractor as its DPO (as opposed to an employee) provided that the external DPO has sufficient knowledge of the business and its data processing activities to fulfil the role. A team of individuals within an external service provider may also be able to fulfil the role of the DPO, again with a single individual acting as lead contact.
- Expertise and skills: A DPO must have suitable professional qualities and expert knowledge of data protection law, to fulfil the role. The required level of expertise will vary depending on the business – the more complex, or high-risk, the data processing activities are, the greater the expertise of the DPO will need to be.
- Independence of the DPO: The DPO must be autonomous (i.e., the business must not instruct the DPO on how to complete his or her tasks) and independent (i.e., he or she must avoid any conflict of interests). As a rule of thumb, most senior positions within a business are likely to conflict with the duties of the DPO (e.g., chief executive, chief operating, chief financial, chief medical officer; head of marketing; Head of HR or Head of IT). Businesses should create internal rules and safeguards to ensure that the DPO is able to act independently and without conflicts of interest.
- Protections for DPOs: To help ensure that DPOs are autonomous and independent, DPOs are protected under the GDPR from unfair dismissal / termination for reasons relating to their performance of the DPO role. A DPO who is an employee of the business may also benefit from the protections afforded by local employment law in some EU Member States, making it difficult for businesses to remove DPOs from their roles. For the avoidance of doubt, the GDPR does not protect a DPO from dismissal / termination for reasons that are not connected with their performance of the DPO role (e.g., theft, sexual harassment, gross misconduct, etc.) but businesses cannot remove a DPO merely because he or she adopts a risk-averse approach to data protection compliance. Consequently, it is vital for businesses to ensure that they select a suitable DPO. If a business appoints an external contractor as its DPO, the protections afforded by the GDPR also apply to such external contractor (e.g., no unfair termination of the service contract for activities as DPO).
- Role of the DPO: The business must involve the DPO from the outset in all issues relating to data protection compliance (e.g., by inviting the DPO to attend relevant meetings at which decisions about data processing are made). The business must provide the DPO with necessary resources to fulfil the DPO role (e.g., active support from senior management; if the DPO role is part-time, sufficient time to carry out his or her DPO responsibilities; continuous training; appropriate financial resources; etc.).
- Tasks of the DPO: The tasks of the DPO include monitoring the business's compliance with the GDPR, and advising the business on data protection issues. Additionally, the DPO has a role in carrying out data protection impact assessments ("DPIAs"). Where high-risk processing is contemplated, the business should actively seek advice from the DPO on conducting a DPIA. The DPO is supposed to take a risk-based approach, ensuring that high-risk processing activities are prioritised. Pursuant to the Guidelines, the business may also involve the DPO in other data protection related tasks such as maintaining the newly introduced record of processing operations.
- Accountability: The task of the DPO to monitor the business's compliance with the GDPR does not lead to individual liability of the DPO for non-compliance by the business. The business may disagree with the advice given by the DPO (e.g., in the context of a DPIA) and the business is not required to follow the DPO's advice. However, the Guidelines then require the business to document in writing the reasons for not following the DPO's advice.
Consequences for businesses
Businesses should consider carefully whether they are required to designate a DPO, bearing in mind that: (i) the Guidelines make it clear that all businesses should consider voluntarily appointing a DPO; and (ii) if a business chooses not to appoint a DPO the Guidelines recommend that the business maintains records of the reasons behind that decision to be able to demonstrate that all relevant factors have been properly considered. Businesses that appoint a DPO need to ensure that the DPO has access to all the resources and support necessary to fulfil the role, and ensure the DPO's independence and autonomy. This is particularly important where a single DPO is designated for a group of undertakings, as the challenges of this approach are much greater. If a business fails to fulfil its obligations regarding the appointment and support of a DPO, it may face fines under the GDPR up to a maximum of the greater of €10 million or 2% of worldwide turnover.
Furthermore, businesses need to ensure that an appropriate DPO is appointed, with the requisite expertise and knowledge. If the appointment of a DPO is delayed until enforcement of the GDPR begins, the business may find that there are no suitably qualified candidates available.
Meanwhile, despite the uncertainty over Brexit, the UK government has confirmed that the GDPR will apply in the United Kingdom from 25 May 2018. This means that UK businesses will be subject to the obligation to appoint a DPO, as set out above.
White & Case has produced a detailed GDPR Handbook that provides practical guidance on the impact of that legislation on businesses.
Chris Ewing and Aleksandra Drabek assisted in the development of this publication.