StaRs: Time to prioritise, but not to panic
There is currently no legal requirement for companies to appoint a dedicated officer responsible for data protection; the Information Commissioner’s Office merely encourages this as good practice. However, this will change when the General Data Protection Regulation (“GDPR”) comes into force in May 2018 and introduces a requirement for certain organisations to appoint a Data Protection Officer (“DPO”).
The Article 29 Working Party has issued its final guidance (“the WP29 Guidance”) on the appointment of DPOs. This guidance aims to help with compliance with the GDPR, assist DPOs in their role and provide best practice recommendations.
From May 2018, you will be required to appoint a DPO if one of the following applies:
The GDPR provides no definition of what constitutes a ‘public authority or body,’ and the WP29 Guidance considers that ‘such a notion is to be determined by national law.’ To that end, the Data Protection Bill (which is currently making its way through Parliament) defines the following as “public authorities” and “public bodies” under UK law:
While the Data Protection Bill has not yet become law, it is likely that examples will include councils, schools, emergency services etc. It may also cover private companies that carry out public functions or services. For example, in the areas of water, transport, energy and housing.
The WP29 Guidance explains that ‘core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals. These include all activities where the processing of data forms an inextricable part of the organisations activity.
There is no definition of what constitutes ‘large scale processing’ in the GDPR but if we look to the WP29 Guidance, it recommends that organisations take into account a number of factors such as the number of data subjects involved, the duration and geographical extent of the processing and the volume of data items being process.
Examples of large scale processing include:
‘Special categories of personal data’ is defined in Article 9 of the GDPR and broadly covers the same categories as ‘Sensitive Personal Data’ as defined in the Data Protection Act 1998. This includes data which would reveal information such as ethnic origin, personal opinions, religious beliefs and health data, and apply to, amongst others, trade unions, healthcare providers storing patient records and polling companies.
It is also open to the Government to specify other circumstances requiring a DPO to be appointed. As it stands, the UK has not made any indications it will make appointing a DPO mandatory in any further circumstances than those set out in the GDPR.
The violation of the DPO related provisions of the Regulation may cause huge administrative fines (up to 10,000,000 EUR, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher).
The WP29 recommends that, unless it is obvious that there is no need to appoint a DPO, businesses should keep a record of the decision making process which demonstrated they have considered all relevant factors properly.
This is just one element of the suite of documents which should be maintained in accordance with new GDPR principle of accountability and which may be requested by the ICO at any time. Every time your business undertakes new activities or offers new services, you should reconsider whether a DPO is required and update your records accordingly.
For many organisations, the question of whether a DPO will be needed will not be straightforward. The ICO is currently developing a ‘Guide to the GDPR’ which should provide greater clarity and guidance of how it will impact businesses in the UK.
If it is clear that even if you are not required to appoint a DPO, you should carefully consider the various obligations upon both the DPO and the organisation before appointing one in any event.
You may still designate individual or provider to assist you meeting your data protection obligations. This will both improve your compliance and provide the ICO with reassurance that you have taken your obligations seriously in the event of a data protection breach.
The DPO will be a stand-alone appointment, carrying significant responsibility. The DPO’s name will be a matter of public record and they must act as the advisor to you on all issues relating to data protection.
Where a DPO has been appointed, they are responsible for all the data processing activities carried out by the organisation. It is not possible to limit the remit of the DPO to a section of the organisation’s activities.
Their primary duty is to monitor compliance with the GDPR. Although the organisation itself is liable for any non-compliance, the DPO will have a great deal of responsibility.
The tasks the DPO will be responsible for are set out in Article 39 of the GDPR. These are:
In addition, WP29 Guidance suggests:
For this reason, organisations must ensure that employees have a confidential means of communicating with the DPO. Where the DPO is internal, face-to-face discussions can of course be confidential. However, if an organisation employs an external DPO, it must ensure that employees are provided with a way of contacting the DPO which is not monitored by the organisation.
The DPO must be independent and autonomous. This means that organisations cannot instruct the DPO how to complete tasks. Senior managers (including Head of Human Resources), Marketing or IT individuals are barred from serving as the DPO. Existing privacy officers may also not be appropriate as a result of their existing role and responsibilities with respect to the day-to-day implementation of data processing systems.
The DPO must be appointed “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Although they do not need to be legally qualified, they must have expert knowledge of data protection law, and records should be kept to demonstrate their qualifications, amongst other things. The WP29 Guidance suggests that the required level of expertise must be commensurate with the “sensitivity, complexity and amount of data an organisation processes”. It is essential for the DPO to have a good understanding of your business and be familiar with your IT infrastructure.
Conflict of interest issues may still arise if your DPO is external to your organisation. For example, if an organisation’s lawyer has been appointed, the DPO will be unable to represent the organisation in litigation or cases involving data protection issues.
The DPO can be an employee or engaged by way of a service contract. The terms of their appointment should be given specific thought, particularly to ensure provisions relating to confidentiality and conflicts of interest are compliant.
The GDPR also makes it clear that a DPO cannot be dismissed, terminated or penalised for performing their tasks. As the WP29 Guidance highlights, the DPO cannot be dismissed for providing advice that the company does not agree with. However, the guidelines do not clarify whether the DPO could be dismissed if the company reaches the conclusion that they are not appropriate for the role. The GDPR is silent on what remedy, if any, the individual will have it they are dismissed. Commentators have suggested that it may be that this is added to the list of automatically unfair reasons under the Employment Rights Act but this remains to be seen.
The decision whether to appoint a DPO is just one element of your organisation’s GDPR compliance. Becoming compliant will inevitably involve an assessment of the nature of the data which your organisation processes, the role of that data within the organisation and the scale of processing, which will inform your decision concerning appointment of a DPO.
Should you decide that appointment of a DPO is necessary, it makes good sense to commence this process as soon as possible. It may take some time to identify an appropriate individual and once appointed, that person will be integral to the process of ensuring your organisation is GDPR compliant by May 2018.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Skip to content Home About Us Insights Services Contact Accessibility