Data Protection Officers under GDPR
Do you need one?
At Teal, one of the questions we often get asked is whether or not an organisation needs a Data Protection Officer (DPO). Under the GDPR, it’s mandatory for some organisations to appoint a person to act as their DPO - others may choose to either appoint a DPO on a voluntary basis or decide that one is not required for the purpose of the Regulations and instead, they’ll just appoint someone to deal with data protection matters. In each case, your business will need to consider who this person should be, what their duties will be and what your business’s obligations are in relation to this person.
The WP29 guidance (the WP29 was an advisory body made up of representatives from the data protection authorities of each EU member state, the EU Commission and the European Data Protection Supervisor, which has now been replaced by the European Data Protection Board) recommends that organisations document the internal analysis carried out to determine whether or not they need to appoint a DPO. This can, for example, be via a memo to your governing body making recommendations as to whether a DPO should be appointed or not, as well as noting any decisions flowing from the recommendations. Whilst the appointment of a DPO isn’t always essential, the guidance states that organisations should assume that one is necessary unless they can demonstrate otherwise. Although a DPO appointment will show your commitment to complying with the GDPR, you need to bear in mind that once you appoint one, they’ll have to comply with the obligations of a DPO contained in the regulations.
Under the GDPR, controllers and processors must appoint a DPO if:
they are a public authority or body;
their core activities involve large scale, regular and systematic monitoring of individuals; or
their core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
So, it’s the nature of processing undertaken by you, as a data controller or processor, that determines whether or not you need a DPO and you need to consider to what extent you need to process personal data to function properly as an organisation. If it is essential, it is likely that you will need a DPO.
Whilst what constitutes “large scale” isn’t defined, the guidelines say that when determining if processing is on a large scale, you should take the following factors into consideration:
the numbers of data subjects concerned;
the volume of personal data being processed;
the range of different data items being processed;
the geographical extent of the activity; and
the duration or permanence of the processing activity.
Even if you decide not to appoint a DPO, the GDPR require organisations to keep records of their processes and any data breaches and it’s important to ensure that your business has sufficient staff and resources to enable it to discharge its obligations under the GDPR.
Who can and can’t be a DPO?
The GDPR requires appointment of a DPO to be on the basis of a person’s ability to carry out those tasks, in particular, their experience and knowledge of data protection law. The regulations don’t specify the precise credentials a DPO is expected to have, but they do state that they should be proportionate to the type of processing being carried out and take into consideration the level of protection the personal data requires. Clearly it would be an advantage for a DPO to have a good knowledge of the relevant industry or sector, as well as your data protection needs and processing activities.
You can appoint an external DPO which would avoid any conflict issues and this is useful where there is no-one suitable within your business to take on the role. The WP 29 guidance provides useful suggestions regarding the individuals within a firm that shouldn’t be the DPO given that they are likely to be in a position of conflict as they may be responsible for determining the purposes and means of processing personal data, this includes the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Head of Marketing, Head of Human Resources and Head of IT. Other less senior roles may also be conflicted if they lead to determination of the purposes and means of processing. In many law firms, for example, it is likely that the Compliance Officer for Legal Practice (COLP) would be a suitable DPO. However, you would need to consider any other roles that the COLP fulfils for the firm, in particular if the COLP is also managing partner or has another senior management role.
The GDPR contains a number of protections for DPOs and places obligations on the data controllers and processors regarding their DPO, a key one being to support the DPO by providing resources to enable them to carry out their tasks. DPOs must be independent, avoid conflicts of interest and cannot receive instruction regarding the performance of their tasks. The GDPR provides DPOs with protected employment status, meaning that you cannot dismiss or sanction a DPO simply for doing their job.
The DPO’s role
The DPO’s main responsibility is to inform and advise your organisation and staff about your obligations to comply with GDPR and other data protection laws. They are responsible for monitoring compliance with the law and regulation and with your data protection policies and also for raising awareness of data protection issues. This includes training staff and conducting internal audits where necessary. They are also responsible for advising on and monitoring any data protection impact assessments that you may undertake, and are the first point of contact for supervisory authorities and the individuals whose data you process. The ICO expects a DPO to take a risk based approach and, for example, to focus on the more risky activities that a business may undertake (e.g. if you process special category data).
The DPO, or his/her team, should be involved from the earliest stage possible in all issues relating to data protection., This should include regular participation in senior management meetings and involvement in any decision which has a data protection implication, with all relevant information being provided to them as early as possible. You should ensure that due weight is given to the DPO’s opinion and, in case of disagreement, the reasons for not following the DPO’s advice should be documented.
The Law Society in its March 2018 advice article (Appointing a Data Protection Officer) took the view that most law firms will not need to appoint a DPO given that they would not be systematically monitoring data subjects on a large-scale and reiterated this view in further advice in August 2019 (Appoint a Data Protection Officer). At the same time they acknowledged that some firms might need to appoint a DPO where they are processing special categories of data, e.g. concerning health, ethnicity, political or religious beliefs, trade union membership, or sexual orientation of the firm’s clients, or relating to their criminal convictions and offences, and such processing might be conducted on a large scale.
Whilst firms might conclude that their processing falls outside the criteria for the mandatory DPO appointment, they may still wish to appoint a DPO on a voluntary basis - particularly if they are in any doubt on the matter. Some firms might also benefit from taking specialist advice on the matter, if they do not have the necessary expertise in their practice. Firms should keep a full record of their decision-making.
Whether you decide to appoint a DPO or not, you should ensure that all staff are aware of the existence of the person responsible for dealing with data protection matters within your organisation and the importance of their role. They must have a direct feed into your top-level management. It’s important to note that a DPO, where appointed, is not responsible for your business’s compliance with data protection law – this remains the responsibility of you as data controller or processor. However, a DPO, and indeed any other person appointed to deal with data protection matters clearly play a crucial role in being responsible for overseeing your data protection strategy and its implementation and helping you to fulfill your data protection obligations.