The introduction of a formal role of Data Protection Officer (“DPO”) is one of the features of the General Data Protection Regulation (“GDPR”). While the concept of a DPO is not new, with many EU member states utilising it in differing ways over the last decade, the GDPR introduces the role as a central pillar of accountability. Under the GDPR it will be mandatory for certain organisations to appoint a DPO, as outlined below. It is worth noting that, while the appointment of a DPO is only mandatory for certain organisations, it is becoming common practice for organisations to designate a DPO on a voluntary basis as a measure to protect the integrity of the organisation’s data.
Article 37 of the GDPR requires an organisation to appoint a DPO if they:
(a) are a public authority (except for courts acting in their judicial capacity);
(b) carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
(c) carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
While points a) and c) above are somewhat self-explanatory, point b) will be of interest to many different types of organisation and is worth considering further. It can be broken down into the following elements:
- is the activity undertaken a key operation necessary to achieve the controller’s or processor’s goals? If the processing of personal data is part of the core activity of the organisation (as opposed to a support function such as payroll or IT support) then the organisation must designate a DPO;
- is the activity undertaken on a large scale? Unfortunately the GDPR does not define what can be considered “large scale”, however, organisations should take into account the number of data subjects concerned, either as a specific number or as a proportion of the relevant population. Examples include the processing of patient data in the course of business by a hospital or for behavioural advertising by a search engine. It is not likely to include processing of individual subject data by a professional advisor such as a doctor or accountant;
- does the activity undertaken include regular and systemic monitoring? Again, the GDPR fails to define what this means, however, the Article 29 Working Party has provided some guidance. Examples would include providing telecommunications services; email retargeting; data-driven marketing activities; location tracking; CCTV and internet of things connected devices.
Guidance from the Article 29 Working Party has been to adopt a ‘better safe than sorry’ approach and that, unless it is obvious that an organisation is not required to designate a DPO, it is recommended that organisations document the internal analysis carried out to determine whether or not a DPO is to be appointed in order to be able to demonstrate that the relevant factors have been taken into account properly.
The DPO will be at the heart of a new era of data protection for many organisations. It is important for organisations whose activities might require the appointment of a DPO to get a grip on the requirement well in advance of the implementation deadline in order to properly establish and resource the role and assist the business in meeting its obligations under the GDPR.