Law Society Communities

Our communities help you develop in your professional life and make the most out of your Law Society

Find out more

Risk and Compliance Service

Do you really need a data protection officer?

  • Print
  • Share
  • Save

The General Data Protection Regulation will make it mandatory for certain organisations to designate a data protection officer. But does yours actually need one? Joanne Bone, partner at Irwin Mitchell, offers a guide to what you need to know.

The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and represents a complete overhaul of the current data protection regime. One of the requirements of the new regulation is the accountability principle, which requires you to demonstrate your compliance with the GDPR. Not only do you have to do the right thing but must demonstrate that you are doing it. You can demonstrate compliance by implementing a range of different measures, one of which includes appointing a data protection officer (DPO) where appropriate.

The practice of appointing a DPO is not new, and has already developed over many years in several countries (eg Germany and Sweden), but there is now a statutory obligation in the GDPR for businesses to appoint a DPO in certain circumstances.

There is a popular misconception that this obligation requires all organisations to appoint a DPO in all situations in order to be GDPR-compliant. This is not the case, and it is only a mandatory obligation in certain circumstances. You should therefore assess your collection and use of personal data to understand whether you will be required to appoint a DPO under the GDPR or not.

Who needs to appoint a DPO?

The appointment of a DPO applies to both data controllers and processors. If your organisation meets the criteria set out below, it will be required to appoint a DPO.

The GDPR requires the compulsory appointment of a DPO where:

  • the processing is carried out by a public authority or body
  • the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale
  • the core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.

Given the lack of clarity in the above provisions, the article 29 working party (A29 WP) has adopted guidelines to explain what constitutes ‘regular and systematic monitoring’ and at what point processing can be defined as ‘large scale’.

Regular and systematic monitoring

Regular and systematic monitoring is not defined in the GDPR but according to the A29 WP, the concept of ‘regular’ includes ongoing, recurring or repeated at fixed times and the concept of ’systematic monitoring’ includes pre-arranged, organised, methodical and occurring according to a system. Examples include tracking and profiling on the internet, including for the purposes of behavioural advertising, eg profiling and scoring for the purpose of risk assessment including credit scoring or fraud protection and location tracking.

Large-scale processing

The A29 WP recommends that a number of factors are taken into consideration when determining whether processing is carried out on a ‘large scale’, which include having regard to:

  • the number of individuals concerned
  • the volume of data and/or the range of different data items being processed
  • duration of the data processing activity and the geographical extent of the processing activity.

An example of such large-scale processing given by the A29 WP is processing of customer data in the course of business by an insurance company or bank.

Voluntary appointments

Where the GDPR does not require the mandatory appointment of a DPO, you can nevertheless appoint one on a voluntary basis – this is a decision that should be considered, as there are clear benefits to a voluntary appointment. This is encouraged by the A29 WP. It will also show the Information Commissioner’s Office (ICO) and your customers that you are committed to complying with your data protection obligations. You can’t be wrong for appointing a DPO, but you can be wrong for taking the decision not to do so.

You should, however, bear in mind that if you appoint a DPO voluntarily, you must still comply with the full range of compliance obligations as if the appointment had been mandatory. You must therefore ensure that your business is able to comply with all the obligations that come with the role; if not, you should not use the title of DPO within your business and should clearly document that you have decided not to appoint a DPO and the reasons for that decision.

If you decide that having a formal DPO appointment is not necessary, it is still a good idea to have someone who is the focus of GDPR compliance within the business, and can deal with such things as subject access requests and communication from the ICO.

Consequences for organisations

Although the appointment of a DPO may seem like a burden, it can in fact be advantageous, and there are many positives, in that the DPO facilitates compliance with data protection obligations in a centralised manner. Getting compliance right and demonstrating that you comply with the GDPR can give you a competitive advantage, enabling you to develop a relationship of trust and confidence, both internally with your employees and externally with your customers and suppliers.

This is an abridged version of an article that first appeared in the Law Society’s in-house magazine, Inside Out.

  • Print
  • Share
  • Save

Benefits of Membership*

Risk and Compliance community graphic
  • A monthly Risk and Compliance e-newsletter, dealing with the latest regulatory and compliance issues
  • Access to the Law Society’s 'Safe Harbour' initiative, providing written guidance to compliance officers on the materiality of a breach
  • Access to four free webinars

As well as:

  • 20 per cent discount on subscriptions to the Legal Compliance Bulletin
  • 20 per cent discount on relevant Law Society publications

* See Service terms and conditions

Join today