Data Protection Officers: Myth Buster
We don't ALL currently need a DPO!
It irks me somewhat that the removal of the requirement to designate a DPO, as part of the UK data reform plans, is cited as way of easing the legislative burden on small businesses.
The Government’s response to the Autumn consultation, says ‘those who supported the removal of DPOs’ (who were in the minority) said this would be ‘beneficial for small businesses’. They’re pushing ahead, with much talk about how many of the planned changes will ease the burden on small businesses.
Let’s be absolutely clear, most small organisations are unlikely to fall under the current UK GDPR requirement to appoint a DPO. Many medium-sized business won’t necessarily need a DPO either.
Let’s also be clear if you fall under the mandatory requirement, or voluntarily choose to appoint a DPO, this is currently a clearly defined role in law. The GDPR sets out specific tasks a DPO is responsible for and the organisation has a duty to support the DPO to help them to fulfil these responsibilities.
The DPO Confusion!
I believe GDPR (perhaps inadvertently, through media coverage and elsewhere) created a degree of confusion about who needed a DPO and what the role actually entails.
It led many businesses to voluntarily appoint one, thinking they really should. It led clients to include ‘do you have a DPO?’ in their due diligence questionnaires. Suppliers to think, ‘oh we better have one.’
Some organisations understood the DPO requirements, others perhaps less so. Many will have informed the ICO who their DPO is, others won’t.
Some DPOs will be striving to fulfil their designated tasks, others won’t have the resources to do this, some may be blissfully unaware of the legal obligations their role carries with it.
When is it currently mandatory to have a DPO?
The law tells us you NEED to appoint a DPO if you are a Controller (or a Processor) and the following apply:
- you are a public authority or body (except for courts acting in their judicial capacity); or
- your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
This raises questions about what’s mean by ‘large-scale’ and what happens if you are found not to have appointed a DPO when you should have. The truth is many smaller businesses and not-for-profits don’t have to have one.
(When it comes to interpreting ‘large-scale’ the European Data Protection Board Guidelines on Data Protection Officers, provide some examples).
What are your current options if you don’t fall under mandatory requirements?
The ICO tells us all organisations need to have ‘sufficient staff and resources to meet the organisation’s obligations under the GDPR’. If you don’t fall under the mandatory requirement, you currently have a choice:
- voluntarily appoint a DPO, or
- have a team or individual responsible for overseeing data protection, in a proportionate way based on the size or your organisation and the nature of the personal data you handle.
What is the ‘position’ of the DPO?
If you appoint a DPO, UK/EU GDPR tells us they must:
- report directly to the highest level of management
- be given the independence and autonomy to perform their tasks
- be given sufficient resources to be able to perform their tasks
- be an expert in data protection
- be involved, in a timely manner, in all issues relating to data protection.
In short, not just anybody can be your DPO.
They can be an internal or external appointment. In some cases a single DPO can be appointed for represent several organisations. They can perform other tasks, but there shouldn’t be a conflict of interests. (For example a Head of Marketing also being the DPO might be an obvious conflict).
A DPO must also be easily accessible, for individuals, employees and the ICO. Their contact details should be published (e.g. in your privacy notice) and the ICO should be informed who they are.
What tasks should a DPO fulfil?
The DPO role currently has a formal set of accountabilities and duties, laid down within the GDPR.
- Duty to inform and advise the organisation and its employees about their obligations under UK/EU GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations.
- Duty to monitor the organisation’s compliance with the UK GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively.
- Duty to advise on, and to monitor data protection impact assessments (DPIAs).
- Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO.
In short, you can’t appoint a DPO in name only.
It’s also worth noting, if you don’t listen to the advice of your DPO you should document why you didn’t follow up on their recommended actions. Also a DPO cannot be dismissed or penalised for performing his or her duties.
What changes are on the cards?
The mandatory requirement to appoint a DPO is going to be dropped, provided the UK Government’s plans survive the legislative process and the scrutiny this will entail.
The intention is to have a new requirement to appoint a ‘senior responsible individual’ for data protection. This could prove somewhat of a relief and may provide clarity for small to medium sized businesses. But the devil will be in the detail. Does this mean you won’t be able to have a ‘team’ of people responsible for data protection? Which some organisations currently might have if they don’t have a DPO.
The consultation response says, ‘most of the tasks of a data protection officer will become the ultimate responsibility of a designated senior individual to oversee as part of the Privacy Management Programme.’
This role will include:
- representing or delegating a representative to the ICO and data subjects
- ensuring appropriate oversight and support is in place for the programme and appointing appropriate personnel
- providing tailored training to ensure staff understand the organisation’s policies
- regularly auditing the efficacy of the Privacy Management Programme.
We’re told organisations which currently have a DPO will be able to continue to do so. The catch is in the words ‘as long as there’s appropriate oversight from the senior accountable individual’. This seems to suggest if you keep your DPO, you‘ll need to have someone senior to them with overall responsibility for data protection.
If this is the case it could prove a headache for companies which fall within the scope of EU GDPR and need to retain a DPO. Or will they be the DPO for European purposes, and the senior responsible individual in the UK?
Who knows! The finer detail of the Data Reform Bill, when it’s published will hopefully give us the nuance we need here.