Welcome to the first in our series of articles focusing on different aspects of the General Data Protection Regulation ('GDPR'). These are practical guides designed to assist your organisation with its preparations in the run up to the implementation of the new legislation. This month's article focuses on the role of the Data Protection Officer ('DPO').
Introduction to the GDPR
As a brief introduction, the GDPR will replace the Data Protection Act 1998 ('DPA') on 25 May 2018 and will remain in force for as long as the UK is a member state of the EU. The government has indicated that the UK will adopt similar, if not identical, legislation once the UK departs from the EU.
The purpose of the GDPR is to modernise and unify the data protection laws across the EU. It will ensure that the personal data of the citizens of the EU is adequately protected in an age where data is such a valuable commodity.
Several aspects of the GDPR will be familiar to those acquainted with the DPA. For instance, the key concepts of data controllers (those who determine how data is processed), data processors (those who process data on behalf of data controllers) and data processing (which includes collecting, using and storing data) are broadly unchanged under the GDPR.
The GDPR also introduces a number of new concepts and significantly expands existing obligations. For example, individuals will have complex new rights regarding the way in which their data is processed and new obligations will be placed on organisations to ensure that individuals are fully informed of how their data is being used. Additionally, the maximum fine which the ICO impose is set to increase from £500,000 under the DPA to €20,000,000 or, if higher, 4% of an organisation's annual global turnover.
Not all of the provisions of the GDPR are defined which has created some uncertainty for controllers and processors. Fortunately, we have two sources of guidance: the Article 29 Working Party and the Information Commissioner's Office. The Working Party is the independent European advisory body on data protection and privacy and the ICO is the office responsible for the enforcement of data protection in the UK. They are both publishing guidance to help us prepare for the GDPR's arrival.
The Role of the DPO
Who needs a DPO?
Under the GDPR, appointing a DPO will be mandatory for organisations if:
- they are a public authority or body; or
- as one of their core activities, they carry out one of the following on a large scale:
a) monitoring individuals systematically;
b) processing special categories of data (currently called sensitive personal data).
What constitutes a public authority or body will be determined by national law so both phrases will have their usual meaning. Where an organisation is not a public body but it carries out a public task (such as water and energy supply or providing public transport), the Working Party recommends that it appoints a DPO even though it is not required to do so.
The "core activities" will be the primary activities which amount to key operations necessary to achieve the controller or processor's goals and which are more than ancillary. A core activity will also include processing activity which forms an inextricable party of the controller or processor's activity. The Working Party takes the example of a hospital: a hospital's core activities will be providing health care. However, the hospital could not provide health care without processing health data (e.g. patient medical records) and therefore processing the health data will be one of the hospital's core activities.
What amounts to processing on a "large scale" is not so clearly explained by the Working Party. Processing patient data in the regular course of business by a hospital will be large scale but processing patient data by an individual physician will not be large scale. There is clearly a rather large grey area left in between.
One point which is rather more certain is that the requirement to appoint a DPO shall apply regardless of whether your organisation is a data controller or a data processor.
Even if your organisation is not required to appoint a DPO, it can do so voluntarily. Appointing a DPO voluntarily will show the ICO and the public that your organisation is committed to its data protection obligations. It has also been argued that appointing a DPO may even be a competitive advantage. On the down side, if your organisation does appoint a DPO voluntarily, it will be bound to comply with the rules regarding DPOs (set out below). When designating a role to handle data protection within your organisation, it is essential to make it clear whether they are a DPO or not.
Who should act as a DPO?
The GPDR requires the DPO to be "designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices…" The level of expert knowledge should be determined according to the data processing operations carried out and the level of protection required for the personal data being processed. When appointing a DPO, you will first need to consider the sensitivity, complexity and amount of data your organisation processes.
An organisation does not need to employ its designated DPO but could contract with an external individual or organisation to exercise the role. The Working Party has indicated that the DPO does not need to be a single individual but it also stresses that where a group of individuals are acting as the DPO, there must be a clear allocation of tasks and a single individual should be the lead contact for any particular organisation.
As an aside, controllers and processors with a DPO must publish the contact details of the DPO and communicate those details to the ICO. The contact details will usually include a postal address, dedicated phone number and a dedicated email address. The Working Party has made it clear that organisations are not required to publish the name of the DPO (although it may be best practice to do so depending on the circumstances).
What will the DPO do?
The GDPR includes a general requirement for the DPO to be involved in all issues which relate to the protection of personal data and monitoring compliance with the GDPR. It also includes more specific requirements for the involvement of the DPO, for example in relation to data protection impact assessments. The DPO has a duty to provide advice on data protection impact assessments where requested and to monitor its performance.
Even though the organisation is required to involve the DPO in issues relating to the protection of personal data, the organisation is not bound to comply with the DPO's advice. That said, if the organisation doesn’t comply with the DPO's advice, it should give the advice due weight and clearly document its reasons for departing from the advice.
What is the DPO's position in the organisation?
The GDPR requires the DPO to have a significant amount of autonomy within the organisation. Controllers and processors are required to ensure that the DPO does not receive any instructions regarding how to perform their tasks and are in a position to perform their role in an independent manner.
The GDPR expressly prohibits the controller or processor from dismissing or penalising the DPO for performing their tasks. DPO's can still be dismissed for gross misconduct in the usual way, but cannot be dismissed (or even threatened with dismissal) for performing their role as they are required under the GDPR.
The DPO can have other roles in the organisation as long as the other roles don’t interfere with their role as DPO. The Working Party has made it clear that the DPO "cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data". For example, it is the responsibility of the controller or processor to maintain a record or processing operations under its responsibility or maintain a record of all categories of processing activities carried out on behalf of a controller. In reality, it may well be the DPO that creates the inventories and holds the register of processing operations even though it is not a specific requirement of the role.
We expect that many organisations will already have someone in place who oversees most issues relating to data protection; for example, the Head of Information Governance, a commercial director or in-house counsel. It's fair to say that the role of the DPO is likely to differ from the existing post.
For organisations which handle large quantities of sensitive personal data (renamed "special categories of personal data" under the GDPR) the duties of the DPO are likely to be a full time job which may not be compatible with other tasks due to the strict requirement to ensure the DPO doesn't take on other duties which could conflict with its obligations under the GDPR.
Organisations which are not required to appoint a DPO need to tread carefully: there are clear benefits to voluntarily appointing a DPO but organisations first need to ensure that they will be able to comply with all of the GDPR obligations which come with the post. If not, it is important to ensure that those in your organisation do not use the title "DPO" and that you clearly document that you have not appointed a DPO.
Under the GDPR, data controllers and processors will need to show that good data protection is a cornerstone of their practices and for many the appointment of the DPO will be the first step.
How Bevan Brittan can help you
Bevan Brittan's specialist Information Law team assist organisations with their preparations for the implementation of the GDPR. We can:
- Review and update existing policies and procedures to ensure compliance with the GDPR;
- Provide internal training to help your colleagues understand how each of them will be affected by the GDPR and to promote a culture of compliance;
- Draft precedent documents for your organisation to consider and complete to ensure that you maintain adequate records of data processing activities;
- Provide specialist legal advice to support your DPO and Information Governance teams.
 With the exception of courts acting in their judicial capacity