GDPR: Do we need a Data Protection Officer? If so, who?

With “GDPR go-live” just around the corner, one of the questions businesses need to be asking themselves is “Do we need to appoint a Data Protection Officer (DPO)?” Similarly, if your business asks you to act as its DPO, you should be asking what this involves, and whether you should accept the appointment.

Under GDPR, a business must accept considerable responsibilities towards its DPO. And the DPO takes on significant rights and obligations. The DPO shouldn’t simply be the person drawing the short straw in the organisation; it is a well known fact that the financial penalties under this legislation are potentially enormous. Correct appointment of a DPO is a crucial step towards mitigating data protection risks.

Do we need to appoint a DPO?

The relevant legislation is GDPR Article 37, which is entitled “Designation of the data protection officer”. The article states that an organisation must appoint a DPO if:

  1. it is a public authority (other than a court of law); or
  2. a primary function of the organisation involves “regular and systematic monitoring of data subjects on a large scale”; or
  3. the organisation processes “special” personal data (see Article 9) or data about convictions/offences, on a large scale.

The first and third points are perhaps the easiest to understand. Less clear is the meaning of “regular and systematic monitoring”.

The Article 29 Working Party (WP29) is a trans-national group composed to advise member states on the correct interpretation of GDPR. Helpfully, WP29 has issued guidelines concerning DPOs, most recently updated on 5 April 2017.

Section 5 of the guidelines provides clarification of this phrase, stating that it “clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising”. It then provides several useful examples that may fit the definition:

  • operating a telecommunications network
  • providing telecommunications services
  • email retargeting
  • data-driven marketing activities
  • profiling and scoring for purposes of risk assessment
  • location tracking
  • loyalty programs
  • behavioural advertising
  • monitoring of wellness, fitness and health data via wearable devices
  • closed circuit television
  • connected devices e.g. smart meters, smart cars, home automation, etc.

We don’t have a definition of “large scale”. The guidance offers some principles (how many data subjects, the geographical reach, etc.), but it is still a matter for the organisation to judge whether the data processing is large-scale. Suffice it to say: if you have a marketing database with hundreds of thousands of records, and you conduct targeted advertising campaigns, you’re probably caught by this requirement. Whatever you decide, make sure your decisions are recorded, in accordance with the principle of accountability.

One more point: even if GDPR doesn’t strictly oblige your organisation to appoint a DPO, it may be prudent to do so anyway. For one thing, it gives you a dedicated specialist, able to field queries related to data protection. For another, it is almost certainly good PR, since it communicates to partners, customers, etc., that you are taking data protection seriously. Bear in mind if you’re appointing a DPO, you must comply with the GDPR’s requirements relating to DPOs, whether or not the appointment is mandatory.

Characteristics of a DPO

Whether you’re appointing a DPO or you’ve been approached to act as your organisation’s DPO, it’s important to understand the obligations of the role. Articles 37 and 38 of the GDPR say that:

  • the DPO shall be selected on the basis of professional qualities
  • the DPO must have expert knowledge of data protection law and practices
  • the DPO may be a member of staff or a third party engaged for the purpose (e.g. a specialist data protection solicitor)
  • the DPO’s contact details must be published and made available to the ICO
  • the DPO is to be involved, promptly, in all data protection matters
  • the organisation must ensure the DPO is adequately resourced (e.g. with support staff and ongoing training)
  • the DPO must be able to operate independently, on the basis of the DPO’s own judgement, rather than under instruction from other members of the organisation
  • the DPO may not be dismissed or penalised for the proper execution of responsibilities
  • the DPO must report to the highest level of management within the organisation (e.g. directly to the board of directors)
  • the DPO must not be asked to perform any other duty that might give rise to a conflict of interests

So the DPO needs to understand this area of law – and understand it well. “Expert knowledge” is a reasonably high standard of capability. In almost all cases this will involve sending the DPO on appropriate training, especially if this is an internal appointment of someone without prior exposure to data protection law.

Should I accept an appointment as DPO?

On the basis of the above, if you are invited to act as your organisation’s Data Protection Officer, I would suggest asking the following questions:

  1. Will I be reporting directly to the highest level of management in the organisation? (E.g. the board of directors or trustees.)
  2. Could my other duties involve any conflict of interests? (E.g. a member of a marketing department may be asked to treat personal data with less care than that expected of a DPO.)
  3. Do I have the requisite, detailed knowledge of data protection law and practice? Or if not, will I be appropriately trained before taking on the responsibility?
  4. Will my organisation give me everything I need to do the job (including extra pairs of hands, where necessary)?
  5. Will I be able to operate independently (rather than coming under pressure from senior members of staff)?
  6. Is it likely that my organisation will take exception to my work as DPO and punish or dismiss me?
  7. Can I be sure my other duties within the organisation won’t include determining how data is to be processed (thus breaking the independence principle)?

If your answer to any of these questions is “no”, you should decline the appointment – or at least discuss further until you are sure all the above conditions are satisfied. As a DPO you will be involved in many tasks related to data protection – managing subject access or right to be forgotten requests, conducting data protection impact assessments or legitimate impact assessments, keeping yourself apprised of the current state of the law, ensuring your organisation continues to comply with GDPR principles of privacy by design, minimisation, accountability and so on.

Make no mistake about it: it’s a big job, especially at a larger organisation. If you do decide to take on the role, I’d recommend taking a GDPR-specific data protection course with a reputable provider. IAPP offers the CIPP/E certification (Certified Information Privacy Professional/Europe), for example.

Tasks of the DPO

Article 39, GDPR states that the DPO should as a minimum do the following:

  • keep the organisation up to date with data protection obligations
  • monitor the organisation’s ongoing compliance
  • raise awareness of data protection requirements, throughout the organisation
  • advise and guide in relation to data protection impact assessments
  • cooperate and liaise with the Information Commissioner’s Office
  • always be mindful of privacy risks in relation to the organisation’s processing of data

So there’s a lot for the DPO to do. Given the scope of the organisation’s and the DPO’s responsibilities, many organisations may well choose to outsource this role. If you choose to pursue this path however, bear in mind that, depending on the size of your organisation, your third party may need to spend substantial time working with you – to the extent that appointing your own dedicated DPO may well be more cost-effective.

The UK Data Protection Bill arrives

It’s the moment we’ve all been waiting for… The government has now published the Data Protection Bill, which is intended primarily to enshrine the equivalent EU law. This nascent legislation, which confirms the powers of the ICO, covers:

  • EU regulation 2016/679 (the General Data Protection Regulation), which comes into force in the EU on 25 May 2018
  • EU directive 2016/680 (the Law Enforcement Directive), which comes into force in the EU on 6 May 2018

The GDPR runs to 88 pages and the LED 43, so perhaps it’s no great surprise that the Data Protection Bill weighs in at a hefty 218 pages. (Wide margins, so that’s something.) It’s going to take a while to wade through, but what we can say immediately is that it’s every bit as bad as we feared. Certainly the €20m/4% fines have survived the translation into Britlaw.

Unlike GDPR, the DPB has a contents page, which is great. It’ll be that bit easier to look up how much trouble we’re in.

Expect the Bill to come into force largely unchanged, probably by next May and definitely before Brexit.

GDPR: what is a small UK business to do?

Although it’s nearly upon us, it seems like many businesses remain unaware of the impending data protection doom of the General Data Protection Regulations. Small businesses in particular. It’s easy to think that (a) there’s no way you’d have time to prepare your business and (b) it won’t apply to you in any event.

The trouble is, that’s a risky position to take. When it comes into force on 25 May 2018, GDPR will usher in fines of up to €20m (and beyond). On top of that, consumers will be increasingly ready and willing to sue companies over data protection issues. Every business needs to take GDPR seriously, then.

Under the current regime, governed by the Data Protection Act, the maximum fine for a data breach is £500k. Under GDPR, at present Euro exchange rates, it’s 34 times that amount. Our data protection enforcement body, the Information Commissioner’s Office (ICO), is about to have a major weapons upgrade.

In June 2017, the ICO fined Morrisons £10,500 for a marketing faux pas. In July, the company under the cosh was MoneySuperMarket and the fine, £80,000. Scaling those fines up 34 times and you’re looking at £357k and £2.7m respectively.

Now it might not work that way in practice, but we’re still looking at huge potential exposure – the kind of exposure that could put a company out of business. Realistically a smaller company is likely to face a smaller fine (smaller customer databases, smaller likely impact from any breach). But also, a smaller company, with less resources to apply to security and cyber risk insurance, is more likely to fall foul of the regulations and be fined. Again and again and again.

Does this sound alarmist? Possibly. It all comes down to risk really. If you’re happy to play fast and loose with your customers’ data in full knowledge of the consequences, read no further. But if all this is giving you pause for thought, stick with me.

But Brexit?

Sorry; we’ll be following GDPR regardless of Brexit.

250 is the magic number

The regulations impose differing obligations on companies, depending on number of employees. The legislation will be less onerous for companies with fewer than 250 members of staff. But still onerous.

If you’re under the 250 mark, but you process or store much personal data (customers, suppliers, employees), GDPR will apply to you in full. So if you’re running a greengrocer’s you’re probably okay. If you’re running a small accountancy firm, well you’ve got a lot of work to do. And we can’t afford to ignore this, right?

New stuff

We’re already covered by the Data Protection Act in the UK. GDPR significantly enhances personal data protection and privacy by imposing:

  • Significant changes when it comes to consent. You may not market to anyone who has not consented. And consent has to consist of an act on the part of the person. Pre-ticking consent boxes on website won’t fly any more.
  • Clarity and ease. It must be easy for consumers to understand what it is they’re consenting to, and easy for them to withdraw consent. Consent must be defined by channel (e.g. email/telephone/SMS) and duration (how long the consent will last).
  • Data portability. If someone asks for a copy of the data you hold on them, you must supply it within 30 days, in a common electronic format (Word document, Excel spreadsheet, PDF file, etc.).
  • Accuracy. You are obliged to correct any incorrect data – including, if you’ve shared that data with a third party, making them correct it too.
  • A right to be forgotten. If someone asks you to remove their data, and you have no other legitimate reason to keep it, you have to remove it.
  • Mandatory data breach processes. If you become aware of a breach that affects personal privacy, you will need to tell the ICO within 72 hours of discovering the breach. Essentially means you need a bullet-proof data breach policy in place.
  • Privacy by design. If you’re designing a new system or business process, you must consider privacy at the outset (and you must document the fact).
  • Data Protection Impact Assessments. If a piece of work is likely to represent a high risk when it comes to personal data, you must conduct a DPIA. The GDPR does not specify the detailed process, but it’s essentially based on risk analysis. If after your analysis, you conclude there is a high risk to privacy, you must consult the ICO before commencing work.
  • Data Protection Officer. If your business is over the 250 mark, or under it and you process personal data, you must appoint a Data Protection Officer. And that DPO needs to have some idea of the responsibilities of the role. Reading this blog post should help!
  • A broad definition of “personal data”. This now includes IP addresses, for example. It’s essentially any data that identifies a person or that could be used with other data to identify a person.
  • Security. The legislation requires you to take reasonable steps to protect personal data. Think encryption, robust passwords for access, principle of least privilege, need to know, etc.

What do I need to do?

If you’re reading all this for the first time, you’ve probably already started to identify areas of your business that you’ll need to review. Here’s a general plan of attack that I would recommend:

  1. Appoint a Data Protection Officer.
  2. Review all your data, thoroughly. If you have more than one employee, you’ll probably need to involve others in this process. If you don’t know where your data is or what data you’re holding, you will be oblivious to your compliance obligations. And obliviousness is no defence I’m afraid, when it comes to penalties.
  3. If you undertake any marketing activity at all, use the remaining time you have between now and May to seek consent from your existing customer base. If you don’t have their consent post-May 2018, and you market to them, you’re liable to be fined and/or sued.
    For companies with large marketing operations, this will be quite a sizeable undertaking. Make sure when you’re collecting consent, you note when consent was granted, which channels it covers and how long it will last. In future, you’ll need a process to renew consent before expiry, or to expunge expired data.
  4. Ensure that in any automated process you use to collect consent, you don’t use pre-ticked boxes or similar. Also, don’t do this anymore: “If you don’t reply to this email, we’ll assume you want to hear from us…”
  5. Update any privacy notices, particularly taking account of the obligation to be clear. Pretend you’re writing it to be read by a 12 year old.
  6. Put in place processes to amend or delete data when required to do so.
  7. Develop a process to provide a copy of all data to a consumer, when asked.
  8. If there’s a chance you will process the data of anyone under the age of 13, you’ll need a process for obtaining parental consent.
  9. Write a data breach response plan. This doesn’t need to be a 100 page document. Just simple steps to follow in case of a breach – which include notifying the ICO and the affected consumers as appropriate.
  10. If in doubt, seek professional help.

Disclaimer

I’m writing this as a Certified Information Systems Security Practitioner and a non-practising solicitor. These guidelines do not constitute legal advice, but I hope they will point you in the right direction. The truth is that these regulations aren’t in force yet, so nobody really knows quite what impact they will have on the data protection landscape. It will be a big shake-up though, that’s for sure.

Featured photo used with permission.