As the deadline for the General Data Protection Regulation approaches, Katie Harris-Wright, senior associate at Birketts LLP considers whether firms should have a data protection officer.
The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will replace the Data Protection Act 1998. Given that the GDPR is a piece of EU legislation, it would be easy to think that Brexit means that its effect will be time limited.
However, the Government confirmed that the GDPR will be fully implemented, meaning that employers will need to update their policies and procedures to comply.
One of the key changes introduced by the GDPR is the statutory position of a Data Protection Officer (DPO), who will have a pivotal role in ensuring compliance with the GDPR. In this article we will look at which organisations will need a DPO and what the role will involve.
Who needs a DPO?
The GDPR provides for the mandatory appointment of a DPO if an organisation’s activities consist of:
- processing operations which by virtue of their nature, scope or purposes require regular and systematic monitoring of data subjects on a large scale;
- processing special categories of personal data on a large scale (this includes data which reveals racial or ethnic origin; political opinions, religious or philosophical beliefs and such other information); or
- processing personal data on a large scale relating to criminal convictions and offences.
In addition, all public authorities are required to appoint a DPO (with the exception of courts acting in their judicial capacity).
A failure on the part of an organisation to appoint a DPO when it is required to do so can result in a fine of up to EUR10 million, or 2% of the previous year’s total worldwide turnover, whichever is higher.
An organisation will need to make its own assessment as to whether or not it is required to appoint a DPO. This may not be an easy exercise given that some of the terminology used in the legislation is open to interpretation. Thankfully, the Article 29 Working Party (an independent advisory body to the European Commission on data protection) has published specific guidelines on DPOs which provides additional guidance.
Working Party Guidelines
The guidance states that “core activities” are the key operations necessary to achieve the controller’s or processor’s goals, and this includes any processing activities which form an inextricable part of the controller’s or processor’s goals (but which are more than just ancillary activities).
For example, the core activity of a hospital is healthcare. However, a hospital could not provide healthcare effectively without processing health data, such as patients’ health records. Therefore, processing this data should be considered as one of any hospital’s core activities (and hospitals must therefore designate DPOs).
On the other hand, all organisations carry out certain support functions, for example paying employees. This is a necessary support function, but is considered to be ancillary to the organisation’s core activities.
The GDPR does not define what is meant by “large scale”, but the guidelines recommend that organisations take the following into account:
- The number of data subjects concerned.
- The volume of data or range of data items.
- The duration of the processing.
- The geographical extent of the processing.
Examples of large-scale processing include:
- Processing customer data in the regular course of business by an insurance company or a bank.
- Processing personal data for behavioural advertising by a search engine.
- Processing travel data of individuals using a city’s public transport system (e.g. tracking via travel cards).
The guidelines also give the following examples that do not constitute large-scale processing:
- Processing of patient data by an individual physician.
- Processing of personal data relating to criminal convictions and offences by an individual lawyer.
In terms of “regular and systematic monitoring”, this includes all forms of tracking and profiling on the internet, including for the purposes of behaviour advertising. However, the concept of monitoring applies to off line activity as well.
Please note that even if an organisation is not required to appoint a DPO, it may still decide to appoint one voluntarily in order to demonstrate a commitment to data protection obligations. If an organisation takes this step, it is then required to comply with the rules regarding DPOs.
Role and appointment of the DPO
An organisation can decide whether to have an in-house DPO role, or outsource the role. What is important is that the DPO has expert level knowledge of data protection law and is able to do the following:
- Inform and advise all staff who carry out data processing of their obligations under the GDPR.
- Monitor compliance with data protection laws and internal company policies (including other EU or member state data protection laws that relate to personal data). Areas to monitor include the assignment of responsibilities, awareness raising and training of staff involved in data processing.
- Provide advice on and monitor data protection impact assessments.
- Cooperate with and act as a point of contact with supervisory authorities.
The DPO should be the first point of contact for all matters and queries relating to data protection compliance and should report directly to the highest level of management (typically the board of directors). The GDPR includes specific protections for DPOs against dismissal and being subjected to any penalties as a result of carrying out his or her role, and it is important to bear in mind that these protections will apply even if the employer voluntarily appoints someone to the role rather than being required to do so.