As mentioned in our previous GDPR update, the seventh update in this series will explain the role and functions of a Data Protection Officer ("DPO") and examine whether or not an organisation has to appoint one.
For many organisations, DPOs will be at the heart of the new data protection landscape. This is because DPOs will be tasked with facilitating GDPR compliance within their organisation. A DPO’s general duties will be:
- identifying the various processing activities of the company;
- analysing and checking the compliance of these activities; and
- informing, advising and issuing recommendations to the company.
In addition to ensuring GDPR compliance, DPOs act as intermediaries or the point of contact between the company, data subjects and the Data Protection Commission. Under the GDPR, an employer is mandated to have a DPO appointed but only in certain circumstances.
In particular, the requirement to appoint a DPO will apply to:
- employers whose core activities consist of:
- data processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of employees on a large scale; or
- processing on a large scale of the special categories of data and data relating to criminal convictions; and
- all public bodies and authorities (other than courts acting in their judicial capacity).
If any one of the above three criteria apply to your company, then you are legally obliged to appoint a DPO. If you do not believe your company falls into any of these criteria, then you will not have to appoint a DPO. European guidance recommends that you record your company’s internal analysis for arriving at the decision that a DPO is not required, save where it is “obvious” that a DPO is not required.
An employer might not be legally required to appoint a DPO but might decide that it is a good idea to do so anyway. Employers should be cautious in this regard because in the event an employer voluntarily decides to appoint a DPO, they will be subject to all DPO related provisions in the GDPR as if they had been required to appoint one. Appointing a DPO is therefore an important strategic decision to make. Provided that there is no confusion regarding title, status, position and tasks, organisations can appoint staff or consultants to undertake data protection related tasks, without those individuals being DPOs. However, employers need to make this distinction clear in all internal and external communications.
A DPO may be part time, and an existing employee can serve as the DPO, provided they have the required expertise and any other role they hold in the organisation does not give rise to a conflict of interest with the DPO role. Alternatively, an external DPO can be appointed under an appropriate service contract. Either way, whoever the DPO is, they need to be in a position to perform the requisite duties and tasks in an independent manner. In terms of avoiding a conflict of interest, European guidance suggests, as “a rule of thumb”, that a DPO may be conflicted if they hold a senior management position in the company (such as CEO, COO, CFO, chief medical officer, head of marketing department, head of HR or head of the IT department) as well as positions lower down in the organisational structure if such positions lead to the determination of the purposes and means of the processing of personal data. The DPO must also report into the board.
Employers should publish the contact details for their DPO so that the DPO’s details are available to the general public. Employers do not need to publish the DPO’s name to the public but should communicate a name and contact details to the Data Protection Commission, as well as internally to all employees of the organisation.
The DPO cannot be held personally liable for breaches of the GDPR. They also enjoy a protected employment status (in the same manner as works council representatives in many EU jurisdictions) so that an employer cannot dismiss a DPO for performing his or her functions even where this may be seen as a failing to assist or obstructing the employer in the broader running of the business. Significantly, if an employee is the designated data protection person in a given organisation, but is not the formal DPO, they do not enjoy any such protection, at least under this legislation.
One interesting point for employers to consider is that if a DPO raises issues in relation to compliance with the GDPR, the DPO will not be protected by the Irish whistleblowing legislation, the Protected Disclosures Act 2014. This is because an employee whose job it is to identify issues and compliance problems as part of their role cannot make a protected disclosure under the whistleblowing legislation in relation to those issues. However, if an employee with no compliance type role discloses a data breach, for instance, then they could technically come within the remit of the whistleblowing legislation. For now the practical challenge many large employers are facing is finding a suitable candidate for their DPO role.
The next question is how does an employer deal with a data breach within its organisation? Our next update will deal with mandatory breach notifications and the right of an employee to make a subject access request to their employer.
If you are interested in further detail on the HR aspects of the GDPR, you can access a panel discussion on this from the Matheson Employment Law Podcast series.