Do I need a Data Protection Officer to comply with the General Data Protection Regulation (GDPR)?
11 September 2017
The countdown is on for the official GDPR implementation date as the six-month deadline approaches. Many organisations will be in the process of reviewing the data they hold, where it is stored, how it processed and who has access to it, as well as various other requirements they need to implement before 25th May 2018.
Once such requirement you may have come across is the appointment of a Data Protection Officer. In brief, this is an enterprise level security role designed to help processor and controllers comply with their GDPR requirements. Specifically, Articles 37-39 relate to the DPO’s role and requirements, but does your organisation actually need to appoint one to comply with the new regulation?
Which organisations need a Data Protection Officer?
Under the GDPR (Article 37), you must appoint a Data Protection Officer (DPO) if:
- You are a public authority (except courts acting in their judicial capacity); or
- You are a controller or processor whose core activities consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
- You are a controller or processor whose core activities consist of processing on a large scale or sensitive data or data relating to criminal convictions/offences
The Article 29 Working Party (WP29) has now published additional guidance to clarify the requirements appointing a Data Protection Officer outlined by Article 37.
- “Core Activities” – For processing to be considered a core activity it should be part of the key operations to achieve the controller/processor’s objectives which “forms an inextricable part of the controller’s or processor’s activity”. This would not include support activities such as payroll or IT support, which are typically supporting functions
- “Large Scale” – Organisations should take into account the following factors when considering whether their processing is “large scale”
- The number of data subjects concerns;
- The volume or data or the range of data items;
- The durations of processing; and
- The geographical extent of processing
- “Regular and Systematic Processing” – This would “include all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising”, however it could also include offline activity. According to the WP29 “regular” monitoring means monitoring which is
- Ongoing/occurring at particular intervals for a particular period;
- Recurring or repeating at fixed times; or
- Constantly or periodically taking place
If you are a public authority or your processing activities meet any of the above requirements then it will be mandatory for you to appoint a DPO in order to comply with the GDPR. However, any organisation can appoint a DPO if they wish. For those that decide to so it is important to remember that voluntary DPOs will still be subject to the same requirements and responsibilities as mandatory DPOs.
The Information Commissioner’s Office has further stated that, regardless of whether you are obliged to appoint a DPO, you must ensure that your organisation has “sufficient staff and skills to discharge your obligations under the GDPR”.
The WP29 advises that, unless it’s obvious that your organisation does not require a DPO, you should keep records of your decision-making process on how and why you have decided not to appoint one.
Roles and Responsibilities of a Data Protection Officer
- Educate the company and employees on important compliance requirements
- Train staff who are involved in data processing
- Conduct audits to ensure compliance and address potential issues proactively
- Be the point of contact for supervisory authorities and for individuals who submit requests regarding their personal data
- Maintain comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities
- Communicate with individuals to inform them how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information.
Who can be a Data Protection Officer?
You can outsource your requirement to a third party or you can appoint a current member of staff to be your DPO, providing there are no conflicts of interest with their current role.
The GDPR has not defined a particular list of qualifications or required experience, but does require a DPO to have “expert knowledge of data protection laws and practices”. This knowledge should be proportionate to the type of processing your organisation carries out and take into consideration the level of protection the personal data requires. Unsurprisingly, your DPO should also have a deep understanding of the GDPR.
Ideally, a DPO should have excellent management skills and the ability to communicate with internal staff at all levels as well as supervisory authorities and members of the public. They must be able to handle managing data protection and compliance internally, and ensure they report any breaches or non-compliance the relevant supervisory authority.
As an employer you also have specific duties when it comes to your DPO, namely, you must ensure that:
- The DPO reports to the highest management level of your organisation e.g. the board
- The DPO operates independently and is not dismissed or penalised for performing their duty
- Adequate resources are provided to ensure the DPO can meet their GDPR obligations
The DPO will be a high profile and highly accountable role, require a certain level of expertise and experience, so it’s important that organisations hire the right person for the job. Organisations should assume they require a DPO – unless they can clearly demonstrate otherwise – but it could be considered best practice to appoint one anyway, based on advice from ICO and the WP29. Just bear in mind they will have the same requirements and responsibilities and mandatory DPOs.