GDPR - do you need a data protection officer?

Do you need a designated DPO?

With the GDPR implementation date drawing near, you should have audited the information you hold, considered the legal basis on which your processing of it will be undertaken, and looked at whether you’ll need to consider appointing a DPO.

Whether or not your firm is required to do so, firms should evaluate their data processing against the criteria for mandatory appointment of a DPO set out in Article 37 of the GDPR.

Firms should document their decision making on this - and, indeed, all other points of GDPR decision making - and regularly review their decision, particularly if they are considering a substantial change in processing activity or when carrying out a data protection impact assessment (DPIA).

When is a DPO mandatory?

Designation is mandatory where:

• processing is carried out by a public authority or body, except for courts acting in their judicial capacity
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

Firms will need to interpret the key terms, including ‘core activities’, ‘regular and systematic’ and ‘large scale’ in order to decide whether mandatory designation of a DPO is required. They will also need to identify if they are processing special categories of data and whether in certain circumstances they can be regarded as a ‘public authority or body’.

Considerations

If your firm is required to appoint a DPO, it should consider carefully the requirements of the role and the tasks assigned to it in the GDPR.

In particular, DPOs need to have the appropriate expertise, independence, and resources to carry out their tasks, and potential conflicts of interest, with duties towards partners or clients, for example, need to be properly considered.

If there is no mandatory requirement, firms should consider making a voluntary appointment and approaching GDPR compliance by putting in place corresponding governance arrangements.

The WP29 encourages the designation of DPOs on a voluntary basis and firms may feel that this is the best way in which they can ensure GDPR compliance.

Firms will need to bear in mind, however, that if they designate a DPO on a voluntary basis, the requirements under Articles 37 to 39 of the GDPR will apply to his or her designation, position and tasks as if the designation had been mandatory.

What should a DPO look like?

Article 37(5) states that DPOs shall be designated on the basis of:

• professional qualities
• expert knowledge of data protection law and practices and
• the ability to fulfil the tasks as set out in Article 39

Existing staff members could be appointed to the role but these requirements, in particular, expert knowledge of data protection law and practices, are likely to mean that, at least for some practices, external recruitment or appointment might be more appropriate. Article 37(2) permits a group of undertakings to appoint a single DPO, provided that they are easily accessible from each establishment.

It is equally possible to appoint an external party as your DPO, but careful considerations should be given to such external appointments, including any conflict of interest issues.

The firms cannot ‘outsource’ its GDPR compliance obligations, and at the same time an external DPO, apart from having to fulfil the statutory requirements on qualification and knowledge of data protection laws and practices, should have sufficient knowledge and proximity to the firm’s data management processes and access to the firm’s senior management and ability to be properly involved in a timely manner in all issues in relation to the protection of personal data.

Assuming you do not make a mandatory or voluntary appointment of a DPO you should consider nominating a suitably senior and qualified person with the necessary resources to lead on data protection compliance.

Just don’t describe them as a ‘DPO’; a suitable alternative title (or part of a title) might be ‘privacy officer’ or ‘data protection compliance programme manager’, etc.

Andrew McWhir is a policy adviser at the Law Society .