Does your firm need a Data Protection Officer (DPO)?
The incoming General Data Protection Regulation (GDPR) will replace the current Data Protection Act 1998 when it comes into force in May 2018. One of the first things most firms note is the requirement to appoint a Data Protection Officer (DPO). Even if firms don’t currently have a resident DPO, most are familiar with what they assume the role to be – but will this change under the new regulation?
The GDPR introduces a statutory obligation for firms carrying out certain types of business to appoint a DPO. For most, this means that appointing one will be mandatory; therefore, it is vital to understand what’s required before the GDPR comes into effect.
Essentially, the role of the DPO under GDPR is to assist firms to comply with the law. The GDPR itself sets out clearly what is expected of a DPO; they may be internal staff or a contractor, they should be suitably qualified for the role. In particular, they should have expert knowledge of data protection law and practices and the ability to fulfil the tasks laid out in Article 39. These are:
Inform and advise the controller or the processor, and the employees who carry out processing;
Monitor compliance with the GDPR and any other data protection provisions as well as with any internal and external policies that the firm is bound by, including training of staff
To provide advice, where requested, as regards the data protection impact assessment and monitor its performance
To cooperate with the supervisory authority (in this case, the Information Commissioner’s Office)
To act as the contact point for the supervisory authority on issues relating to processing and to consult, where appropriate, with regard to any other matter.
In addition, Article 39 states that the DPO shall ‘have due regard to the risk associated with processing operations taking into account the nature, scope, context and purposes of processing’. It’s a role with significant responsibilities, so how do you know if you need to appoint one?
The GDPR makes the appointment of a DPO compulsory for:
Public authorities and bodies
Organisations that – as a core activity – monitor individuals systematically and on a large scale
Organisations that process special categories of personal data on a large scale
The Article 29 Working Party published a guidance document to try to provide some clarity on the above terms. What would be considered ‘large scale’ isn’t set out definitively and depends on a number of factors including the number of data subjects concerned, the volume of data and/or the range of different data items being processed, the duration of the data processing activity and the geographical extent of the processing activity. In short, if it could be argued that a firm deals with data volumes that would not be considered minor, it will need to appoint a DPO.
The Article 29 Working Party document points out that firms who are not required to appoint a DPO may choose to do so voluntarily. While this has obvious benefits – appointing a DPO demonstrates accountability and compliance with the Regulation, there are some possible pitfalls you need to bear in mind.
According to the Working Party, although DPOs may ‘fulfil other tasks and duties’ these should not result in a conflict of interest, such as Chief Executive, Chief Operating Officer, Chief Financial Officer, Head of Marketing, Head of HR or Head of IT. If you appoint a formal DPO, they will need to be able to comply with the full range of obligations. If it is not mandatory for your firm to appoint a DPO, and you aren’t sure that they would be able to comply with the obligations – for example, in a small firm where there is not the scope to be able to employ a DPO who would be considered independent - you may decide not to appoint a formal DPO.
In such a case a firm could still choose to designate an employee as their contact for Data Protection issues, and in practice they could still carry out the tasks set out in Article 39. The firm would need to document in writing that they do not have a DPO, and the reasons for this. There are other options available, such as engaging an external consultant, provided that there are no conflicts of interest.
Once a firm has made the decision to appoint, it is essential to ensure the DPO is suitably qualified. Whilst there are currently no mandatory qualifications, the appointee would be expected, at a minimum, to have expertise in national and European data protection laws and an in-depth understanding of the GDPR.
With just six months to go until GDPR comes into effect, it is vital that firms ensure their DPO has the expertise they need to adequately fulfil the role in line with the Regulation. Our two-day residential course in April is perfect for those who are new to the role of a DPO under GDPR, covering all of the responsibilities under the new Regulation. You can now download a GDPR Education Series and Preparation Pack if you need further support.