Click here to view video.
The EU General Data Protection Regulation (GDPR) laid out the job description for a new role, that of Data Protection Office (DPO), and made the appointment mandatory in some cases. Businesses must appoint a DPO if any of their core activities consist of:
(a) processing operations which require regular and systematic monitoring of data subjects on a large scale; or
(b) processing on a large scale of special category data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation ) or personal data relating to criminal convictions and offences.
Beyond this, guidance from the European Data Protection Board (EDPB) and from the UK’s Information Commissioner’s Office (ICO) encourages organisations to voluntarily appoint a DPO as a measure to help them achieve and maintain compliance with the GDPR, and many have done so. So, how are things working out in the wild, in the brave new post-25th May world? Some organisations had initially decided to appoint a DPO, but have made an appointment which has not turned out satisfactorily, or they have found it difficult to fill the position at all. This is not surprising: well-qualified candidates are thin on the ground, many having been snapped up months or years ago in the run up to 25 May 2018.
This is leading some companies to reassess their approach: do they really need to appoint a DPO? What are the risks involved in that decision and how do they mitigate them?
Damned if you don’t – is it necessary to appoint a DPO?
In some cases, companies have erroneously thought that they needed to appoint a DPO, when in fact they did not.
Often this has been based on an assumption that they are caught by limb (a) above (monitoring of data subjects), for example, because they use security cameras in areas such as entry points and car parks, or because their IT systems record information about data flows between employees’ computers/mobile devices.
A company may have focused its analysis on a detailed consideration of whether the processing in question amounts to monitoring, and if so, whether that monitoring is regular and systematic, and whether it is on a large scale.
However, sight has often been lost of the other key aspect of the test – that the processing operation is part of the company’s core activities. Although many companies are engaged in activities which might amount to monitoring, in comparatively few cases will it be a company’s core activity as opposed to a merely ancillary one.
Damned if you do – the risks of appointing a DPO
Many companies are well aware that they will be in breach of the GDPR if they fail to appoint a DPO when obliged to do so, risking serious fines and other sanctions. But fewer seem to appreciate that the appointment of a DPO in itself opens up an array of further ways to fall foul of the law.
The GDPR lays down a number of mandatory requirements relating to DPOs, including the nature of the DPO’s role, the scope of their duties, the way they are exercised, and how they must be supported. It is not enough to appoint a DPO when required to; an organisation must comply with all aspects of the stipulations about the role of DPO. Failure to meet any of these requirements will breach the GDPR.
Here’s an example to chew over:
A company decides to appoint a DPO. Struggling to find a suitable candidate for the salary it is prepared to offer, it decides to designate someone internally, adding the role of DPO to the existing duties of one of its company secretarial team. She has no previous data protection experience, and continues to report to her current boss, a middle manager, and continues with her existing duties. This includes specifying and overseeing the introduction of her pet project, a system whereby the company will conduct detailed background checks (including criminal record and credit checks) on all applicants for management positions.
The appointment is likely to breach the GDPR:
- Firstly, the fledgling DPO has not been appointed on the basis of her professional qualities, nor does she have expert knowledge of data protection law and practices. These are requirements of the GDPR.
- Secondly, she does not report to the board, but to a lower tier of management. The GDPR expressly states that the DPO should report directly to the highest management level.
- Thirdly, the GDPR makes it plain that a DPO is not permitted to perform other roles if these result in a conflict of interests. The duties of her pre-existing role entail her being responsible for introducing a new type of potentially risky personal data processing, but as DPO, she will be sitting in judgment as to whether the new processing is compliant with the GDPR. It is easy to see how this might give rise to a conflict.
Reducing the risk if you don’t appoint a DPO
If an organisation is uncertain as to whether it is legally obliged to appoint a DPO, guidance from the authorities recommends that they should appoint one in any case. If your company is in this position, and decides not to follow the guidance, you should consider taking steps to reduce the risks of possible non-compliance. This could include, for example:
- Documenting your decision-making process, so that if necessary, you could demonstrate to a regulator that you have properly considered the matter and come to a reasonable position.
- Creating a role which is as close as practicable to that of a DPO in all but name, and ensuring that all the requirements of a GDPR-level appointment are met, both in terms of the person’s experience, their duties and the way they are treated and supported by the rest of the business.
- Frequently revisiting your decision, especially when adopting new technologies, or expanding into new areas of business.
- Keeping a close eye on relevant court cases, and on new decisions and updated guidance from the ICO and the EDPB.