The GDPR acknowledges the Data Protection Officer (DPO) as a key individual in ensuring compliance within your company, with their appointment mandatory for all public authorities and many private organisations such as, but not exclusive to, the financial sector.
Although the GDPR does not specifically require the appointment of a DPO for every organisation, it is highly encouraged and recommended by the European Article 29 Working Party (WP29) who represent the advisory body to European Commission on data protection matters, a matter of good practice and to demonstrate compliance.
However, as such an appointment will be costly and not always necessary, this article will help you decide whether or not your company should appoint a designated DPO.
How to decide whether you need to appoint a Data Protection Officer under the GDPR
So, to help you to apply these terms to your own organisation, we have expanded more on each of the 3 key points below and have provided useful examples.
What are “Core Activities”?
Article 37(1)(b) and (c) of the GDPR refers to the “core activities of the controller or processor”. Core activities include:
- Key operations to achieve the controller’s or processor’s objectives.
- All activities where the processing of data forms an inseparable part of the overall activity.
However, this does not include support or secondary functions for your organisation’s main business, such as supporting activities for processing the company’s payroll, for example.
An example of points 1 and 2 is where the core activity of a hospital is to provide health care. However, a hospital could not provide health care safely and effectively without processing personal data, such as their patients’ health records.
Therefore, processing this data should be considered to be one of any hospital’s core activities and hospitals must designate controllers, processors or a DPO to carry out this function.
Another example is where a private security company may carry out the surveillance of a number of private shopping centres and public spaces.
Surveillance is the core activity of the company which, in turn, is inseparably linked to the processing of personal data. Despite having a DPO this company must also designate controllers, and processors.
On the other hand, taking point 3 into consideration, all organisations carry out specific activities, for example, paying their employees or having standard IT support activities. These are necessary support functions for your organisation’s core activity or main business.
Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity, so you would not need to appoint a DPO if these are your ‘core activities’.
What is “Large Scale”?
For the appointment of a DPO to be mandatory, Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a “large scale”.
Because the guidance still remains somewhat unspecified within the GDPR, I have given some examples as to what would be considered as large scale:
These include the processing of:
- Patient data during the regular business day of a hospital.
- Travel data of people using a city’s public transport system – an example being the tracking of travel cards.
- Real time anonymised data, for example, of customers of a fast food chain for statistical and analytical purposes by a processor who may specialise in providing such services.
- Large amounts of customer data in the regular course of business, for example, by a bank.
- Personal data for behavioural advertising by a search engine for analytical or statistical purposes.
- Data (content, traffic, location) by telephone or internet service providers for a specific purpose.
Some examples that do not constitute large-scale processing include:
- Processing of patient data by an individual doctor.
- Processing of personal data relating to criminal convictions and offences by an individual lawyer.
What does “Regular and Systematic Monitoring” mean?
The concept of “regular and systematic monitoring” of data subjects is not defined in the GDPR. That said, the concept of ‘monitoring the behaviour of data subjects’ is outlined in recital 24 of the GDPR and identifies all forms of tracking and profiling on the internet.
However, the concept of monitoring is not confined to the online world, therefore, online tracking should only be considered as a single example of monitoring the behaviour of data subjects.
- Regular= ongoing recurring, constantly or periodically.
- Systematic = occurring according to a system, organised or prearranged, methodical or part of a general plan or strategy.
- Operating a telecommunications network; providing telecommunications services; email.
- Retargeting, profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location.
- Tracking, for example, by mobile apps; loyalty programmes; behavioural advertising.
- Monitoring of wellness, fitness and health data via wearable devices; CCTV; connected devices such as smart meters, smart cars, home automation.
Making the right decision
The DPO will be a high profile and highly accountable role requiring expertise in national and European data protection laws and practices, and have an in-depth understanding of the GDPR.
It will be important to appoint the best fit for your organisation – taking into account its size and the sector you are in. As such, you will need to decide if appointing a full-time DPO is the best way to ensure your organisation complies with GDPR – or look at other options – part-time, shared or appoint an external consultant.
Unless it is obvious that your organisation is not required to appoint a DPO, I recommend that you fully document the analysis you carry out to decide whether or not you needed to appoint a DPO for the purposes of auditing.
If your organisation does appoint a DPO on a voluntary basis, the same requirements under Articles 37 to Article 39 of the GDPR will apply to the appointment made.
Understand the position of the DPO within your organisation
The GDPR does not identify the credentials a DPO should have.
The WP29 does, however, define a number of minimum requirements in relation to the type of experience and skillset of a DPO.
Remember that the DPO must be fully immersed in all issues relating to data protection throughout your company.
Here are some tips if your company decides to appoint a DPO
- Ensure the DPO is consulted and made fully aware of early discussions relating to personal/sensitive information in relation to the methods that will be implemented to ensure the ongoing protection of data.
- Invite your DPO to meetings of senior and middle management and relevant working group meetings.
- Develop guidelines or programmes that set out when the DPO must be consulted.
- Inform all staff of the DPO’s existence and function.
- Document any reasons for not following the DPO’s advice for the purposes of auditing, to ensure that the DPO is protected from any liability issue arising from not following their advice.
Consider establishing a Data Protection Team
You should consider whether it is necessary to set up a dedicated data protection team which would act as the overall custodians of your data and also ensure that ongoing compliance is maintained throughout your organisation.
This would, however, depend on the size of your organisation. The best way to approach this is to:
- Draw up tasks and responsibilities for the team.
- Consider an alternative which could be to embed data protection compliance into your business through the introduction of ’Data Protection Practitioners’ who could be existing employees being given some added responsibility.
- Establish the budgeting requirements for the data protection team.
How to meet your legal obligations to your DPO
- Your employees have overall responsibility for data compliance.
- Your DPO must be free from a conflict of interests:
- They cannot hold a position which leads them to determine the purposes and means of data processing (on a case-by-case assessment).
- They cannot hold conflicting positions such as: CEO, CFO, CIO, Head of Marketing, Head of HR, but also less senior roles. Independence is absolutely key here.
- The opinion of the DPO should be given due weight.
- The DPO must be promptly informed of any form of data breach or any other data-related incident occurs.
How to proceed if you do not appoint a DPO
If you decide that your organisation does not wish to appoint a DPO on a voluntary basis and you do not legally have to appoint a DPO, you can, nevertheless, employ staff or external consultants to the role.
It is, however, important that you ensure that there is no confusion regarding:
- Their title.
- Their overall status.
- Their position.
- The tasks that they have been hired to undertake.
Therefore, it should be made clear, in any communications within your organisation as well as with the ICO and your data subjects, that the title of this individual or consultant is not a designated DPO.
If you do go down the route of outsourcing your data protection compliance, make sure that you have some Service Level Agreement (SLA) in place that guarantees that you can comply with the GDPR – not just by ticking the check box of the having an external data protection consultant but that your consultant can respond to your needs and the request of your data subjects.
In general, the more complex and/or sensitive the processing operations of your business, the more resources you should consider giving to the DPO function. This must be effective and sufficiently well-resourced in relation to the data processing being carried out by your organisation.
Understanding the key tasks of your DPO
Your DPO’s main duties will comprise the following:
Another significant task of the DPO is to take responsibility for Data Protection Impact Assessments (DPIA). So where these need to be undertaken, advice should be sought from the DPO as to:
- Whether or not to carry out a DPIA.
- What methodology to follow when carrying out a DPIA.
- Whether to carry out the DPIA in-house or whether to outsource it.
- What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects.
- Whether or not the DPIA has been correctly carried out and whether its conclusions are in compliance with the GDPR i.e. whether or not to go ahead with the processing and what safeguards to apply.