Data Protection Officers: Myth Buster

It irks me somewhat that the removal of the requirement to designate a DPO, as part of the UK data reform plans, is cited as way of easing the legislative burden on small businesses.

Let’s be absolutely clear, most small organisations are unlikely to fall under the current UK GDPR (or EU GDPR) requirement to appoint a DPO.  Many medium-sized business won’t necessarily need a DPO either.

Let’s also be clear if you fall under the mandatory requirement, or voluntarily choose to appoint a DPO, this is currently a clearly defined role in law. UK/EU GDPR sets out specific tasks a DPO is responsible for and the organisation has a duty to support the DPO to help them to fulfil these responsibilities.

The DPO Confusion!

I believe GDPR (perhaps inadvertently, through media coverage and elsewhere) created a degree of confusion about who needed a DPO and what the role actually entails.

It led many businesses to voluntarily appoint one, thinking they really should.  It led clients to include ‘do you have a DPO?’ in their due diligence questionnaires.  Suppliers to think, ‘oh we better have one.’

Some organisations understood the DPO requirements, others perhaps less so.  Many will have informed the ICO (or EU regulator) who their DPO is, others won’t.

Some DPOs will be striving to fulfil their designated tasks, others won’t have the resources to do this, some may be blissfully unaware of the legal obligations their role carries with it.

When is it currently mandatory to have a DPO?

The law tells us you NEED to appoint a DPO if you are a Controller (or a Processor) and the following apply:

• you are a public authority or body (except for courts acting in their judicial capacity); or
• your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
• your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

This raises questions about what’s mean by ‘large-scale’ and what happens if you are found not to have appointed a DPO when you should have.  The truth is many smaller businesses and not-for-profits don’t have to have one.

(When it comes to interpreting ‘large-scale’ the European Data Protection Board Guidelines on Data Protection Officers, provide some examples).

What are your current options if you don’t fall under mandatory requirements?

The ICO tells us all organisations need to have ‘sufficient staff and resources to meet the organisation’s obligations under the GDPR’. If you don’t fall under the mandatory requirement, you currently have a choice:

• voluntarily appoint a DPO, or
• have a team or individual responsible for overseeing data protection, in a proportionate way based on the size or your organisation and the nature of the personal data you handle.

What is the ‘position’ of the DPO?

If you appoint a DPO, UK/EU GDPR tells us they must:

• report directly to the highest level of management
• be given the independence and autonomy to perform their tasks
• be given sufficient resources to be able to perform their tasks
• be an expert in data protection
• be involved, in a timely manner, in all issues relating to data protection.

In short, not just anybody can be your DPO.

They can be an internal or external appointment.  In some cases a single DPO can be appointed for represent several organisations. They can perform other tasks, but there shouldn’t be a conflict of interests.  (For example a Head of Marketing also being the DPO might be an obvious conflict).

A DPO must also be easily accessible, for individuals, employees and the ICO.  Their contact details should be published (e.g. in your privacy notice) and the ICO should be informed who they are.

What tasks should a DPO fulfil?

The DPO role currently has a formal set of accountabilities and duties, laid down within the GDPR.

• Duty to inform and advise the organisation and its employees about their obligations under UK/EU GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations.
• Duty to monitor the organisation’s compliance with the UK GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively.
• Duty to advise on, and to monitor data protection impact assessments (DPIAs).
• Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO.

In short, you can’t appoint a DPO in name only.

It’s also worth noting, if you don’t listen to the advice of your DPO you should document why you didn’t follow up on their recommended actions. Also a DPO cannot be dismissed or penalised for performing his or her duties.

What changes are on the cards?

The mandatory requirement to appoint a DPO is set to be dropped.  The Data Protection and Digital Information Bill includes a new requirement to appoint a ‘senior responsible individual’ (SRI) for data protection, who is part of the organisation’s senior management.

The SRI will have similar tasks to a DPO under GDPR, which can be delegated. An SRI will need to be appointed when organisation’s activities are likely to result in a high risk to the rights and freedoms of individuals.

It seems this role won’t’ have the strict independence requirements of a DPO under GDPR and the proposed change raises a number of questions. What happens to existing DPOs? Will they need to be appointed to senior management?  Or will a member of the senior management team need to be appointed as SRI and be able to delegate tasks to the existing DPO? What about organisations who operate in Europe and need a DPO under EU GDPR?

Clarity on this would be very welcome.