There is currently no legal requirement for companies to appoint a dedicated officer responsible for data protection; the Information Commissioner’s Office merely encourages this as good practice. However, this will change when the General Data Protection Regulation (“GDPR”) comes into force in May 2018 and introduces a requirement for certain organisations to appoint a Data Protection Officer (“DPO”).
The Article 29 Working Party has issued its final guidance (“the WP29 Guidance”) on the appointment of DPOs. This guidance aims to help with compliance with the GDPR, assist DPOs in their role and provide best practice recommendations.
Who will be required to appoint a DPO?
From May 2018, you will be required to appoint a DPO if one of the following applies:
You are a public authority or body
The GDPR provides no definition of what constitutes a ‘public authority or body,’ and the WP29 Guidance considers that ‘such a notion is to be determined by national law.’ To that end, the Data Protection Bill (which is currently making its way through Parliament) defines the following as “public authorities” and “public bodies” under UK law:
- A public authority or Scottish public authority as defined by the Freedom of Information Act, subject to any regulations by the Secretary of State to provide otherwise;
- An authority or a body specified by the Secretary of State in regulations.
While the Data Protection Bill has not yet become law, it is likely that examples will include councils, schools, emergency services etc. It may also cover private companies that carry out public functions or services. For example, in the areas of water, transport, energy and housing.
Your core activities require regular and systematic processing of data subjects on a large scale
The WP29 Guidance explains that ‘core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals. These include all activities where the processing of data forms an inextricable part of the organisations activity.
There is no definition of what constitutes ‘large scale processing’ in the GDPR but if we look to the WP29 Guidance, it recommends that organisations take into account a number of factors such as the number of data subjects involved, the duration and geographical extent of the processing and the volume of data items being process.
Examples of large scale processing include:
- processing customer data by an insurance company;
- processing of travel data of individuals using a city’s public transport system;
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialising in providing these services;
- processing personal data for behavioural advertising by a search engine.
Your core activities consist of processing a large scale of special categories of personal data or data relating to criminal convictions/offences.
‘Special categories of personal data’ is defined in Article 9 of the GDPR and broadly covers the same categories as ‘Sensitive Personal Data’ as defined in the Data Protection Act 1998. This includes data which would reveal information such as ethnic origin, personal opinions, religious beliefs and health data, and apply to, amongst others, trade unions, healthcare providers storing patient records and polling companies.
It is also open to the Government to specify other circumstances requiring a DPO to be appointed. As it stands, the UK has not made any indications it will make appointing a DPO mandatory in any further circumstances than those set out in the GDPR.
What happens if we do not appoint a DPO?
The violation of the DPO related provisions of the Regulation may cause huge administrative fines (up to 10,000,000 EUR, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher).
The WP29 recommends that, unless it is obvious that there is no need to appoint a DPO, businesses should keep a record of the decision making process which demonstrated they have considered all relevant factors properly.
This is just one element of the suite of documents which should be maintained in accordance with new GDPR principle of accountability and which may be requested by the ICO at any time. Every time your business undertakes new activities or offers new services, you should reconsider whether a DPO is required and update your records accordingly.
For many organisations, the question of whether a DPO will be needed will not be straightforward. The ICO is currently developing a ‘Guide to the GDPR’ which should provide greater clarity and guidance of how it will impact businesses in the UK.
Should we consider appointing a DPO anyway?
If it is clear that even if you are not required to appoint a DPO, you should carefully consider the various obligations upon both the DPO and the organisation before appointing one in any event.
You may still designate individual or provider to assist you meeting your data protection obligations. This will both improve your compliance and provide the ICO with reassurance that you have taken your obligations seriously in the event of a data protection breach.
What are the roles and duties of a DPO?
The DPO will be a stand-alone appointment, carrying significant responsibility. The DPO’s name will be a matter of public record and they must act as the advisor to you on all issues relating to data protection.
Where a DPO has been appointed, they are responsible for all the data processing activities carried out by the organisation. It is not possible to limit the remit of the DPO to a section of the organisation’s activities.
Their primary duty is to monitor compliance with the GDPR. Although the organisation itself is liable for any non-compliance, the DPO will have a great deal of responsibility.
The tasks the DPO will be responsible for are set out in Article 39 of the GDPR. These are:
- Informing and advising the company and their employees of their European and national data protection obligations - the DPO will therefore be responsible for producing internal guidelines on the GDPR, checking the existing policies in place and, if necessary, adapting or designing new ones that are compliant with the provisions;
- Monitoring compliance with the Regulation and other data protection laws - this will include conducting internal audits and reviews of all the processes in the business to ensure the implementation of data protection policies. The DPO should work with every department in the organisation to ensure that compliance is followed at every stage of processing;
- Awareness-raising and the training of staff on the provisions in the GDPR - this could be done through group workshops, one-to-one sessions or formal in house training. As well as existing employees, DPOs also need to ensure than new hires are aware of the data protection requirements. There is a continuing obligation to ensure that staff are made aware of any updates or developments;
- Providing advice where requested as regards the data protection impact assessments (DPIAs) and monitoring compliance and performance – DPIAs are mandatory when processing is ‘likely to result in high risk to the rights and freedoms of natural persons.’ The DPO must be consulted and any advice taken should be documented as part of the DPIA process;
- Engaging with the Information Commissioner’s Office or relevant Supervisory Authority – the relevant Supervisory Authority is who the DPO will notify for compliance activity such as a data security breach or a risky processing activity. They will also need to be notified by the organisation if a new DPO is registered.
In addition, WP29 Guidance suggests:
- The DPO is required to report to the highest level of management within an organisation and must be invited to participate regularly in meetings of senior and middle management;
- The DPO should be present where decisions with data protection implications are taken; all relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice;
- The opinion of the DPO must always be given due weight, and reasons for not following the DPO's advice should be documented; and
- The DPO must be promptly consulted once a data breach or another incident has occurred.
For this reason, organisations must ensure that employees have a confidential means of communicating with the DPO. Where the DPO is internal, face-to-face discussions can of course be confidential. However, if an organisation employs an external DPO, it must ensure that employees are provided with a way of contacting the DPO which is not monitored by the organisation.
Who can serve as the DPO?
The DPO must be independent and autonomous. This means that organisations cannot instruct the DPO how to complete tasks. Senior managers (including Head of Human Resources), Marketing or IT individuals are barred from serving as the DPO. Existing privacy officers may also not be appropriate as a result of their existing role and responsibilities with respect to the day-to-day implementation of data processing systems.
The DPO must be appointed “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Although they do not need to be legally qualified, they must have expert knowledge of data protection law, and records should be kept to demonstrate their qualifications, amongst other things. The WP29 Guidance suggests that the required level of expertise must be commensurate with the “sensitivity, complexity and amount of data an organisation processes”. It is essential for the DPO to have a good understanding of your business and be familiar with your IT infrastructure.
Can we appoint a DPO external to the organisation?
Conflict of interest issues may still arise if your DPO is external to your organisation. For example, if an organisation’s lawyer has been appointed, the DPO will be unable to represent the organisation in litigation or cases involving data protection issues.
How should we formalise the DPO’s appointment?
The DPO can be an employee or engaged by way of a service contract. The terms of their appointment should be given specific thought, particularly to ensure provisions relating to confidentiality and conflicts of interest are compliant.
The GDPR also makes it clear that a DPO cannot be dismissed, terminated or penalised for performing their tasks. As the WP29 Guidance highlights, the DPO cannot be dismissed for providing advice that the company does not agree with. However, the guidelines do not clarify whether the DPO could be dismissed if the company reaches the conclusion that they are not appropriate for the role. The GDPR is silent on what remedy, if any, the individual will have it they are dismissed. Commentators have suggested that it may be that this is added to the list of automatically unfair reasons under the Employment Rights Act but this remains to be seen.
What should we do next?
The decision whether to appoint a DPO is just one element of your organisation’s GDPR compliance. Becoming compliant will inevitably involve an assessment of the nature of the data which your organisation processes, the role of that data within the organisation and the scale of processing, which will inform your decision concerning appointment of a DPO.
Should you decide that appointment of a DPO is necessary, it makes good sense to commence this process as soon as possible. It may take some time to identify an appropriate individual and once appointed, that person will be integral to the process of ensuring your organisation is GDPR compliant by May 2018.