GDPR: Do we need a Data Protection Officer? If so, who?

With “GDPR go-live” just around the corner, one of the questions businesses need to be asking themselves is “Do we need to appoint a Data Protection Officer (DPO)?” Similarly, if your business asks you to act as its DPO, you should be asking what this involves, and whether you should accept the appointment.

Under GDPR, a business must accept considerable responsibilities towards its DPO. And the DPO takes on significant rights and obligations. The DPO shouldn’t simply be the person drawing the short straw in the organisation; it is a well known fact that the financial penalties under this legislation are potentially enormous. Correct appointment of a DPO is a crucial step towards mitigating data protection risks.

Do we need to appoint a DPO?

The relevant legislation is GDPR Article 37, which is entitled “Designation of the data protection officer”. The article states that an organisation must appoint a DPO if:

  1. it is a public authority (other than a court of law); or
  2. a primary function of the organisation involves “regular and systematic monitoring of data subjects on a large scale”; or
  3. the organisation processes “special” personal data (see Article 9) or data about convictions/offences, on a large scale.

The first and third points are perhaps the easiest to understand. Less clear is the meaning of “regular and systematic monitoring”.

The Article 29 Working Party (WP29) is a trans-national group composed to advise member states on the correct interpretation of GDPR. Helpfully, WP29 has issued guidelines concerning DPOs, most recently updated on 5 April 2017.

Section 5 of the guidelines provides clarification of this phrase, stating that it “clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising”. It then provides several useful examples that may fit the definition:

  • operating a telecommunications network
  • providing telecommunications services
  • email retargeting
  • data-driven marketing activities
  • profiling and scoring for purposes of risk assessment
  • location tracking
  • loyalty programs
  • behavioural advertising
  • monitoring of wellness, fitness and health data via wearable devices
  • closed circuit television
  • connected devices e.g. smart meters, smart cars, home automation, etc.

We don’t have a definition of “large scale”. The guidance offers some principles (how many data subjects, the geographical reach, etc.), but it is still a matter for the organisation to judge whether the data processing is large-scale. Suffice it to say: if you have a marketing database with hundreds of thousands of records, and you conduct targeted advertising campaigns, you’re probably caught by this requirement. Whatever you decide, make sure your decisions are recorded, in accordance with the principle of accountability.

One more point: even if GDPR doesn’t strictly oblige your organisation to appoint a DPO, it may be prudent to do so anyway. For one thing, it gives you a dedicated specialist, able to field queries related to data protection. For another, it is almost certainly good PR, since it communicates to partners, customers, etc., that you are taking data protection seriously. Bear in mind if you’re appointing a DPO, you must comply with the GDPR’s requirements relating to DPOs, whether or not the appointment is mandatory.

Characteristics of a DPO

Whether you’re appointing a DPO or you’ve been approached to act as your organisation’s DPO, it’s important to understand the obligations of the role. Articles 37 and 38 of the GDPR say that:

  • the DPO shall be selected on the basis of professional qualities
  • the DPO must have expert knowledge of data protection law and practices
  • the DPO may be a member of staff or a third party engaged for the purpose (e.g. a specialist data protection solicitor)
  • the DPO’s contact details must be published and made available to the ICO
  • the DPO is to be involved, promptly, in all data protection matters
  • the organisation must ensure the DPO is adequately resourced (e.g. with support staff and ongoing training)
  • the DPO must be able to operate independently, on the basis of the DPO’s own judgement, rather than under instruction from other members of the organisation
  • the DPO may not be dismissed or penalised for the proper execution of responsibilities
  • the DPO must report to the highest level of management within the organisation (e.g. directly to the board of directors)
  • the DPO must not be asked to perform any other duty that might give rise to a conflict of interests

So the DPO needs to understand this area of law – and understand it well. “Expert knowledge” is a reasonably high standard of capability. In almost all cases this will involve sending the DPO on appropriate training, especially if this is an internal appointment of someone without prior exposure to data protection law.

Should I accept an appointment as DPO?

On the basis of the above, if you are invited to act as your organisation’s Data Protection Officer, I would suggest asking the following questions:

  1. Will I be reporting directly to the highest level of management in the organisation? (E.g. the board of directors or trustees.)
  2. Could my other duties involve any conflict of interests? (E.g. a member of a marketing department may be asked to treat personal data with less care than that expected of a DPO.)
  3. Do I have the requisite, detailed knowledge of data protection law and practice? Or if not, will I be appropriately trained before taking on the responsibility?
  4. Will my organisation give me everything I need to do the job (including extra pairs of hands, where necessary)?
  5. Will I be able to operate independently (rather than coming under pressure from senior members of staff)?
  6. Is it likely that my organisation will take exception to my work as DPO and punish or dismiss me?
  7. Can I be sure my other duties within the organisation won’t include determining how data is to be processed (thus breaking the independence principle)?

If your answer to any of these questions is “no”, you should decline the appointment – or at least discuss further until you are sure all the above conditions are satisfied. As a DPO you will be involved in many tasks related to data protection – managing subject access or right to be forgotten requests, conducting data protection impact assessments or legitimate impact assessments, keeping yourself apprised of the current state of the law, ensuring your organisation continues to comply with GDPR principles of privacy by design, minimisation, accountability and so on.

Make no mistake about it: it’s a big job, especially at a larger organisation. If you do decide to take on the role, I’d recommend taking a GDPR-specific data protection course with a reputable provider. IAPP offers the CIPP/E certification (Certified Information Privacy Professional/Europe), for example.

Tasks of the DPO

Article 39, GDPR states that the DPO should as a minimum do the following:

  • keep the organisation up to date with data protection obligations
  • monitor the organisation’s ongoing compliance
  • raise awareness of data protection requirements, throughout the organisation
  • advise and guide in relation to data protection impact assessments
  • cooperate and liaise with the Information Commissioner’s Office
  • always be mindful of privacy risks in relation to the organisation’s processing of data

So there’s a lot for the DPO to do. Given the scope of the organisation’s and the DPO’s responsibilities, many organisations may well choose to outsource this role. If you choose to pursue this path however, bear in mind that, depending on the size of your organisation, your third party may need to spend substantial time working with you – to the extent that appointing your own dedicated DPO may well be more cost-effective.

The UK Data Protection Bill arrives

It’s the moment we’ve all been waiting for… The government has now published the Data Protection Bill, which is intended primarily to enshrine the equivalent EU law. This nascent legislation, which confirms the powers of the ICO, covers:

  • EU regulation 2016/679 (the General Data Protection Regulation), which comes into force in the EU on 25 May 2018
  • EU directive 2016/680 (the Law Enforcement Directive), which comes into force in the EU on 6 May 2018

The GDPR runs to 88 pages and the LED 43, so perhaps it’s no great surprise that the Data Protection Bill weighs in at a hefty 218 pages. (Wide margins, so that’s something.) It’s going to take a while to wade through, but what we can say immediately is that it’s every bit as bad as we feared. Certainly the €20m/4% fines have survived the translation into Britlaw.

Unlike GDPR, the DPB has a contents page, which is great. It’ll be that bit easier to look up how much trouble we’re in.

Expect the Bill to come into force largely unchanged, probably by next May and definitely before Brexit.