GDPR: Do you really need a Data Protection Officer (DPO)?
By now you’ll have heard that there’s huge change coming to European data protection law. The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act 1998 (DPA).
So, you’ve started doing your research as you prepare for GDPR – and you’ve noticed that the requirement to appoint a Data Protection Officer (DPO) is a feature of many articles. The DPO will play a key role in ensuring compliance with GDPR – but it’s not immediately obvious what is involved.
That’s why this article looks at what the role entails, the skill sets required and cuts through some of the confusion we’ve noticed. For example, what exactly is a DPO and does every organisation actually need to appoint one?
Background to the Data Protection Officer (DPO)
The role of the DPO is to help what the GDPR describes as data ‘Controllers’ and ‘Processors’ comply with data protection law and avoid the risks that organisations face when processing personal data. So, to give context to the role, it’s worth briefly discussing what a Controller and Processor does.
Data Controller: Article 4 (7) of the Regulation says… “Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data.”
In practice this means the organisation responsible for making decisions about personal data. For example, a bank might collect the data of its clients when they open an account.
Data Processor: Article 4 (8) of the Regulation says… “Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Typical examples are service providers providing outsourced services to the controller such as marketing, accounting and HR services. In so doing, they deal with or store personal information data in accordance with the instructions of the controller.
So, to differentiate the processor from the controller, the bank in the above example would be the controller and the outsourced HR company would be the processor that stores and then uses the customer’s personal data in accordance with the controller’s instructions.
The tasks of the DPO
The DPO is the data protection expert within the organisation and forms the link with both the public and the organisation’s employees in relation to the processing of personal information held. The DPO also acts as the person that data protection queries are directed to.
Article 37(5) of the Regulation details what is in effect a mini job description for the role:
“The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
- Informing and advising the controller or the processor and their employees of their data protection obligations.
- Monitoring compliance with the Regulation, including the assignment of responsibilities.
- Awareness-raising and training of staff involved.
- Providing advice where requested as regards the data protection impact assessments (DPIAs) and monitoring compliance and performance.
- Engaging with the Information Commissioner’s Office or relevant Supervisory Authority.
The Regulation also stipulates that the DPO reports directly to top level management and must be given all resources necessary to carry out their functions.
It’s clearly a substantial role – but how do you know if you need to appoint one?
When do you need to appoint a DPO?
The Article 29 Working Party view is that you should assume that you do – unless you can demonstrate that you don’t. That’s because the criteria for appointing a DPO applies to most organisations. However, not every organisation needs to appoint one. Confused? The Regulation lays out three scenarios for a DPO as follows.
Controllers and processors of personal data shall designate (or recruit/engage) a DPO where:
- The processing is carried out by a ‘public authority’.
Although there’s no definition of such within the legislation. The guidance says that this is a matter for national law. In practice this is most likely to reflect the definition given in Section 3 Freedom of Information Act 2000.
- The ‘core activities’ require regular and systematic monitoring of data subjects on a ‘large scale’.
‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals. There is no definition of what ‘large scale’ means, however examples could be processing customer data by an insurance company or bank, or processing personal data for behavioural advertising by a search engine.
- Where ‘core activities’ involve ‘large scale’ processing of ‘special categories’ of personal data and relating to criminal convictions and offences.
‘Special categories’ of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998. These cover ethnic origin, political opinions, religious beliefs and health data, and apply to, amongst others, polling companies, trade unions and healthcare providers storing patient records.
Are SMEs exempt?
There has been uncertainty whether it applies to SMEs – possibly because an earlier draft of the Regulation suggested ‘large scale’ meant organisations with 250 employees or with 5000 records. However, this uncertainty was quashed at Infosec 2017 in June by Peter Brown, the senior technology officer of the Information Commissioner’s Office (ICO).
“I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.”
Peter Brown, Senior Technology Officer, Information Commissioner’s Office (ICO).
Recruiting? The skill sets required
Clearly the DPO is a crucial role. With the potential of huge fines looming for non-compliance, there’s pressure to make the right appointment in what is already a very competitive marketplace. GDPR guidance offers some insight into what is required.
“Although Article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.”
If we were to draw up a very brief person specification, it might look like this:
- Expertise in national and European data protection laws and practices
- An in-depth understanding of the GDPR
- Understanding of data processing operations and data security
- Knowledge of the relevant business sector to the organisation
- Good communication skills – the DPO will be the public face of the organisation to the Information Commissioner’s Office – and the public
- Ability to promote a data protection culture within the organisation
If you don’t want to recruit
It is possible to effectively ‘share’ a DPO by working with other organisations – provided that the DPO is easily accessible and there are no conflicts of interest. Another option is to engage an external consultant, qualified to do the role as and when required – a solution particularly suited to a small to medium sized business which may not have the budget or the need for a full-time DPO.
Smaller organisations may also find that DPO responsibilities are a challenge to deliver, given the breadth of knowledge required to manage IT systems, and the requisite familiarity with the legal aspects of the GDPR.
If you are considering outsourcing the role, make sure that your consultant has a relevant qualification. One option is the Certified EU General Data Protection Regulation Practitioner qualification accredited to ISO 17024. This enables successful practitioners to fulfil the role of Data Protection Officer (DPO) under the GDPR, and covers the Regulation in depth. Another option is the BCS Data Protection Practitioner qualification.
When don’t you need a DPO?
The GDPR does not require every controller or processor to appoint a DPO. A private body or organisation, for example, does not have to appoint one if:
- Its main activities only seldom involve monitoring data subjects and with little infringement on those data subjects’ rights.
- It does not process special category personal information at all.
- It is only processing the special category personal information of a small group of data subjects.
However, the guidelines of the Article 29 Working Party on Data Protection recommends that, unless it is obvious organisations don’t need to appoint a DPO, they should keep records of their decision making process.
Remaining proactive to compliance
Even where a DPO is not required (as directed by the GDPR) you may wish to consider appointing an individual within your company to carry out that role on a voluntary basis. This will help to ensure that you are proactive in monitoring GDPR compliance. They don’t need to be called a DPO – you could use the term ‘Privacy Officer’ for example.
However, please note that Article 29 states that, when an organisation designates a DPO on a voluntary basis, the same requirements under Articles 37 to 39 will apply to the designation, roles and tasks as if the designation had been mandatory. In other words being part-time or voluntary is no excuse to perform the role to any lesser degree. Not having a DPO isn’t an excuse for non-compliance.
The DPO will be a high profile and highly accountable role requiring expertise in national and European data protection laws and practices and an in depth understanding of the GDPR. The GDPR does not require every controller or processor to appoint a DPO but, you should assume that you will need a DPO – unless you can demonstrate that you don’t.
It will be important to appoint the best fit for your organisation – taking into account its size and the sector you are in. As such, you will need to decide if appointing a full-time DPO is the best way to ensure your organisation complies with GDPR – or you look at other options – part-time, shared or an external consultant.
Preparing for the GDPR? Ascentor can steer you through the GDPR maze
This is your GDPR action plan, produced in one week. It’s a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.
If you are preparing for GDPR compliance, you’ll find our checklist of help. Please click the image to access your copy as a PDF download. As well as our own resources we’ve also provided some helpful advice from the Information Commissioner’s Office (ICO).No email is required.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter .
If you’d like to discuss the topic of GDPR and data protectionin more depth or any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.
Office: 01452 881712
Other Ascentor articles on GDPR
For Further Information
If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.
Please use the contact details below - also found on our Contact Us page.