Chaucer recently reviewed copies of some GDPR-related material that is being issued by a U.K. dental industry association regarding the mandatory appointment of Data Protection Officers. Some of the information being offered as legal advice appears to be inaccurate, and more worryingly, is offered without a legal disclaimer.
Opinion Piece by Lindsay Charman
This means that if dental practices are fined, or required to cease processing activities as a direct result of taking the advised action, they will have no option to seek legal respite from the association.
The most concerning statements centre around their interpretation of the definition of the role of a Data Protection Officer and who can be appointed.
There are multiple references to the GDPR being “flexible” in its definition of DPO. At a more detailed level this is true, but the association completely ignores the primary criterion that defines a suitable DPO.
Article 37 (5) states:
“The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
The ICO’s language around this point is “that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.”
There is no flexibility to interpret the term ‘expert’.
The flexibility comes with the level of expertise needed (which should be proportionate to the complexity of the processing) as well as through the options to resource the position (internally, externally, group or shared DPO).
In this day and age, we expect our handyman to be an expert, our real estate agent to be a specialist, and our nutritionist to be an authority. The dental association is offering paid training courses of three hours and promoting this as being sufficient experience for the graduate to register as an official DPO.
To suggest that a DPO can come from any background and be trained in a three hour window is non-nonsensical.
The European Data Protection Board (EDPB), the successor to the Article 29 Working Party, has stated very clearly that there is no such thing as an individual DPO certification.
The point of the GDPR is to Give Data Privacy the Respect it deserves.
This is not a “sign up and get training later” position, any more than a Pharmacist would be. That would undermine the essence of the GDPR entirely. Of course it makes sense to appoint a DPO from your existing staff, saving time and cost. We are not suggesting otherwise.
The GDPR is very clear about what needs to be considered before appointing a DPO though. Your DPO is your #1 ally in protecting your best interests, and your patients’ data, along with your reputation.
To do this, and to meet the requirements in the law, they need actual data privacy experience, a solid understanding of your business and technical processes plus the ability to conduct risk assessments as well as a thorough understanding of the GDPR, the Data Protection Act (2018), and probably the PECR (pending its replacement by the ePrivacy Regulation).
At the end of the day, as a practice owner or company director, the legal responsibility is yours. Not your DPO’s, and not an association’s.