Many data controllers already have people within their organisation who are referred to as “Data Protection Officers”. Currently, people with the job title of “Data Protection Officer” can be senior members of staff, or (more often) quite junior members of staff, and their job roles can vary quite considerably from organisation to organisation. Under the current data protection framework within the UK there is no formal concept of a Data Protection Officer, but that will all change in May 2018 when the General Data Protection Regulation becomes applicable.
The Data Protection Officer
The Data Protection Officer, or DPO, is a specific concept within the GDPR. All public bodies will be required to appoint a DPO (with one exception, on which see further on) as will many private sector organisations. The DPO is a key person within the new data protection framework and organisations should avoid giving people who are not a DPO within the context of the GDPR job titles which could be misleading.
The DPO should operate at a senior level and be able to feed into the highest level of the organisation. The DPO should be a person with expert knowledge of data protection law and practices and should assist the controller or processor to monitor internal compliance with the GDPR. The DPO can be a full-time or part-time member of staff, but can also be provided by a third party in terms of a service contract.
Where a DPO has been appointed, the data controller is required to publish the name and contact details for their DPO.
When does a Data Protection Officer require to be appointed?
All public authorities, regardless of size, (and with the exception of courts acting in their judicial capacity) will be required to appoint a DPO under the GDPR. The GDPR does not define what is meant by “public authority or body” and this will largely be left up to national laws to determine. It would be fair to say that in the UK any organisation that is deemed to be a public authority for the purposes of the Freedom of Information Act 2000 or a Scottish public authority for the purposes of the Freedom of Information (Scotland) Act 2002 will be considered as a public authority or body.
It is also probable that private companies who carry out functions of a public administrative nature will also be considered as a public authority or body and so the definition of public authority for the purposes of the Environmental Information Regulations 2004 and the Environmental Information (Scotland) Regulations 2004 should also be considered.
As already noted, the requirement to appoint a DPO is not simply confined to public authorities; private sector organisations will also be required to appoint a DPO if they meet certain criteria. Private sector organisations (whether they are a data controller or a data processor – references to data controller in this blog post should be taken to include data processors) will need to appoint a DPO where their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
Finally, any data controller whose core activities consist of processing, on a large scale (which is yet to be properly defined), special categories of data or personal data relating to criminal convictions and offences. Special categories of personal data broadly corresponds with what the Data Protection Act 1998 describes as “sensitive personal data”, which includes personal data such as race, religion, political beliefs, health data etc.
What this means is that there is likely to be a requirement on a large number of private sector organisations to appoint a DPO.
The tasks of the Data Protection Officer
The GDPR sets out various tasks that Data Protection Officers will be required to carry out; these are:
- to inform and advise the controller or the processor and the employees who are
processing personal data of their obligations pursuant to the GDPR;
- to monitor compliance with the GDPR, including the assignment of responsibilities, awareness- raising and training of staff involved in the processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
- to co-operate with the Information Commissioner as the supervisory authority
- to act as the contact point for the supervisory authority on issues related to the processing of personal data
Data Protection Officers must be able to carry out their functions independently and must also be given sufficient resources to enable to them fulfill their obligations (for larger organisations, this is may include, for example, having a staff to assist them). The requirement for them to conduct their responsibilities independently means that they should not be subject to direction on the performance of their responsibilities by anyone in the organisation and should not be treated unfairly for discharging their duties (e.g. they shouldn’t be side-lined or dismissed if they give an opinion that isn’t appreciated).
There is no obligation within the GDPR for an organisation to do what their DPO advises them to do; however, the accountability principle in the GDPR will mean that the ICO will likely want an explanation as to why an organisation has gone against the advice of their DPO if that is what they decide to do.
It is for each data controller and processor to decide whether or not they require to appoint a DPO; however, the accountability principle of the GDPR will mean that organisations who have decided they do not require a DPO should be able to demonstrate how and why they came to that decision. Organisations that are not required to appoint a DPO under the GDPR can still appoint one if they wish, but persons who are “electively” appointed as a DPO will be viewed in exactly the same way as those whose appointment is mandatory.
What constitutes and organisation’s core activities is not specifically defined within the GDPR. However, Recital 97 of the GDPR states that in the private sector, the “primary activities [of the controller] and do not relate to the processing of personal data as ancillary activities”. The Recital is not part of the law, but is a tool which assists with the inetrpretation of the law. Oragnisations will need to be clear as to what their “primary activities” are in order to be able to work out whether processing personal data is one of their “core activities”.
The Article 29 Woking Party, in its Guidelines on Data Protection Officers expresses it in the following way:
“Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.
On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”
Large Scale Processing
As noted above, the GDPR does not define what is meant by large scale processing activities. In its guidelines on Data Protection Officer, the Article 29 Working Party has suggested four factors which should be taken into consideration when decideing whether processing is taking place on a large scale. Those factors are:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity;
- the geographical extent of the processing activity
As the phrase remains underfined within the GDPR it is a matter that will require a level of judicial interpretation. No doubt the domestic courts will be asked to grapple with the concept of large-scale processing at somepoint; as will the Court of Justice of the European Union (although, what impact a decision of the court will have in the UK given Brexit is a matter that remains to be seen).
A failure to appoint a DPO where one is required is a matter which can attarct an administrative fine; in this case the maximum is €10m or 2% of global turnover (which ever is greater). I have covered administrative fines in more detail in another blog post. Articles 38 and 39 of the GDPR, which relate to the position of the DPO and their tasks, are also subject to the administartive fine provisions; again with the maximum being €10m or 2% of global turnover (whichever is greater).
If you would like advice on Data Protection Officers under the GDPR, or on any other matter relating to data protection/privacy or Freedom of Information, then you can contact Alistair Sloan on 0345 450 0123, by completing the contact form on this blog, or you can send him an E-mail directly.