The General Data Protection Regulation will make it mandatory for certain organisations to designate a data protection officer. But does yours actually need one? Joanne Bone, partner at Irwin Mitchell, offers a guide to what you need to know.
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and represents a complete overhaul of the current data protection regime. One of the requirements of the new regulation is the accountability principle, which requires you to demonstrate your compliance with the GDPR. Not only do you have to do the right thing but must demonstrate that you are doing it. You can demonstrate compliance by implementing a range of different measures, one of which includes appointing a data protection officer (DPO) where appropriate.
The practice of appointing a DPO is not new, and has already developed over many years in several countries (eg Germany and Sweden), but there is now a statutory obligation in the GDPR for businesses to appoint a DPO in certain circumstances.
There is a popular misconception that this obligation requires all organisations to appoint a DPO in all situations in order to be GDPR-compliant. This is not the case, and it is only a mandatory obligation in certain circumstances. You should therefore assess your collection and use of personal data to understand whether you will be required to appoint a DPO under the GDPR or not.
The appointment of a DPO applies to both data controllers and processors. If your organisation meets the criteria set out below, it will be required to appoint a DPO.
The GDPR requires the compulsory appointment of a DPO where:
Given the lack of clarity in the above provisions, the article 29 working party (A29 WP) has adopted guidelines to explain what constitutes ‘regular and systematic monitoring’ and at what point processing can be defined as ‘large scale’.
Regular and systematic monitoring is not defined in the GDPR but according to the A29 WP, the concept of ‘regular’ includes ongoing, recurring or repeated at fixed times and the concept of ’systematic monitoring’ includes pre-arranged, organised, methodical and occurring according to a system. Examples include tracking and profiling on the internet, including for the purposes of behavioural advertising, eg profiling and scoring for the purpose of risk assessment including credit scoring or fraud protection and location tracking.
The A29 WP recommends that a number of factors are taken into consideration when determining whether processing is carried out on a ‘large scale’, which include having regard to:
An example of such large-scale processing given by the A29 WP is processing of customer data in the course of business by an insurance company or bank.
Where the GDPR does not require the mandatory appointment of a DPO, you can nevertheless appoint one on a voluntary basis – this is a decision that should be considered, as there are clear benefits to a voluntary appointment. This is encouraged by the A29 WP. It will also show the Information Commissioner’s Office (ICO) and your customers that you are committed to complying with your data protection obligations. You can’t be wrong for appointing a DPO, but you can be wrong for taking the decision not to do so.
You should, however, bear in mind that if you appoint a DPO voluntarily, you must still comply with the full range of compliance obligations as if the appointment had been mandatory. You must therefore ensure that your business is able to comply with all the obligations that come with the role; if not, you should not use the title of DPO within your business and should clearly document that you have decided not to appoint a DPO and the reasons for that decision.
If you decide that having a formal DPO appointment is not necessary, it is still a good idea to have someone who is the focus of GDPR compliance within the business, and can deal with such things as subject access requests and communication from the ICO.
Although the appointment of a DPO may seem like a burden, it can in fact be advantageous, and there are many positives, in that the DPO facilitates compliance with data protection obligations in a centralised manner. Getting compliance right and demonstrating that you comply with the GDPR can give you a competitive advantage, enabling you to develop a relationship of trust and confidence, both internally with your employees and externally with your customers and suppliers.
This is an abridged version of an article that first appeared in the Law Society’s in-house magazine, Inside Out.