Paul Gillingwater MBA, CISSP, CISM, RHCE

Associate Partner

  • Data Strategy

17 Mar, 2018

Do you need a Data Protection Officer?

The GDPR acknowledges the Data Protection Officer (DPO) as a key individual in ensuring compliance within your company, with their appointment mandatory for all public authorities and many private organisations such as, but not exclusive to, the financial sector.

Although the GDPR does not specifically require the appointment of a DPO for every organisation, it is highly encouraged and recommended by the European Article 29 Working Party (WP29) who represent the advisory body to European Commission on data protection matters, a matter of good practice and to demonstrate compliance.

However, as such an appointment will be costly and not always necessary, this article will help you decide whether or not your company should appoint a designated DPO.

How to decide whether you need to appoint a Data Protection Officer under the GDPR

Mandatory for public authorities or bodies (except courts)

These consist of: UK law enforcement, all local UK government bodies and departments, devolved administrations, public broadcasters such as the BBC and Channel 4 and the Armed Forces.

Not mandatory but strongly suggested

Private companies who are carrying out services for public authorities or where the private company is acting as a DPO for a public authority.

Mandatory for private companies where the “core activities” consist of:

Processing operations which require “regular and systematic monitoring” of data subjects “on a large scale”, or “Large scale” processing of sensitive data or data relating to criminal convictions and offences.

Not mandatory

If your organisation’s core activities do not consist of point 3 above

So, to help you to apply these terms to your own organisation, we have expanded more on each of the 3 key points below and have provided useful examples.

What are “Core Activities”?

Article 37(1)(b) and (c) of the GDPR refers to the “core activities of the controller or processor”. Core activities include:

  1. Key operations to achieve the controller’s or processor’s objectives.
  2. All activities where the processing of data forms an inseparable part of the overall activity.

However, this does not include support or secondary functions for your organisation’s main business, such as supporting activities for processing the company’s payroll, for example.

Examples

An example of points 1 and 2 is where the core activity of a hospital is to provide health care. However, a hospital could not provide health care safely and effectively without processing personal data, such as their patients’ health records.

Therefore, processing this data should be considered to be one of any hospital’s core activities and hospitals must designate controllers, processors or a DPO to carry out this function.

Another example is where a private security company may carry out the surveillance of a number of private shopping centres and public spaces.

Surveillance is the core activity of the company which, in turn, is inseparably linked to the processing of personal data. Despite having a DPO this company must also designate controllers, and processors.

On the other hand, taking point 3 into consideration, all organisations carry out specific activities, for example, paying their employees or having standard IT support activities. These are necessary support functions for your organisation’s core activity or main business.

Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity, so you would not need to appoint a DPO if these are your ‘core activities’.

What is “Large Scale”?

For the appointment of a DPO to be mandatory, Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a “large scale”.

Because the guidance still remains somewhat unspecified within the GDPR, I have given some examples as to what would be considered as large scale:

Examples

These include the processing of:

  • Patient data during the regular business day of a hospital.
  • Travel data of people using a city’s public transport system – an example being the tracking of travel cards.
  • Real time anonymised data, for example, of customers of a fast food chain for statistical and analytical purposes by a processor who may specialise in providing such services.
  • Large amounts of customer data in the regular course of business, for example, by a bank.
  • Personal data for behavioural advertising by a search engine for analytical or statistical purposes.
  • Data (content, traffic, location) by telephone or internet service providers for a specific purpose.
  • CCTV.

Some examples that do not constitute large-scale processing include:

  • Processing of patient data by an individual doctor.
  • Processing of personal data relating to criminal convictions and offences by an individual lawyer.

What does “Regular and Systematic Monitoring” mean?

The concept of “regular and systematic monitoring” of data subjects is not defined in the GDPR. That said, the concept of ‘monitoring the behaviour of data subjects’ is outlined in recital 24 of the GDPR and identifies all forms of tracking and profiling on the internet.

However, the concept of monitoring is not confined to the online world, therefore, online tracking should only be considered as a single example of monitoring the behaviour of data subjects.

  • Regular= ongoing recurring, constantly or periodically.
  • Systematic = occurring according to a system, organised or prearranged, methodical or part of a general plan or strategy.

Examples

  • Operating a telecommunications network; providing telecommunications services; email.
  • Retargeting, profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location.
  • Tracking, for example, by mobile apps; loyalty programmes; behavioural advertising.
  • Monitoring of wellness, fitness and health data via wearable devices; CCTV; connected devices such as smart meters, smart cars, home automation.

Making the right decision

The DPO will be a high profile and highly accountable role requiring expertise in national and European data protection laws and practices, and have an in-depth understanding of the GDPR.

It will be important to appoint the best fit for your organisation – taking into account its size and the sector you are in. As such, you will need to decide if appointing a full-time DPO is the best way to ensure your organisation complies with GDPR – or look at other options – part-time, shared or appoint an external consultant.

Unless it is obvious that your organisation is not required to appoint a DPO, I recommend that you fully document the analysis you carry out to decide whether or not you needed to appoint a DPO for the purposes of auditing.

If your organisation does appoint a DPO on a voluntary basis, the same requirements under Articles 37 to Article 39 of the GDPR will apply to the appointment made.

Understand the position of the DPO within your organisation

The GDPR does not identify the credentials a DPO should have.

The WP29 does, however, define a number of minimum requirements in relation to the type of experience and skillset of a DPO.

Remember that the DPO must be fully immersed in all issues relating to data protection throughout your company.

Here are some tips if your company decides to appoint a DPO

  • Ensure the DPO is consulted and made fully aware of early discussions relating to personal/sensitive information in relation to the methods that will be implemented to ensure the ongoing protection of data.
  • Invite your DPO to meetings of senior and middle management and relevant working group meetings.
  • Develop guidelines or programmes that set out when the DPO must be consulted.
  • Inform all staff of the DPO’s existence and function.
  • Document any reasons for not following the DPO’s advice for the purposes of auditing, to ensure that the DPO is protected from any liability issue arising from not following their advice.

Consider establishing a Data Protection Team

You should consider whether it is necessary to set up a dedicated data protection team which would act as the overall custodians of your data and also ensure that ongoing compliance is maintained throughout your organisation.

This would, however, depend on the size of your organisation. The best way to approach this is to:

  1. Draw up tasks and responsibilities for the team.
  2. Consider an alternative which could be to embed data protection compliance into your business through the introduction of ’Data Protection Practitioners’ who could be existing employees being given some added responsibility.
  3. Establish the budgeting requirements for the data protection team.

How to meet your legal obligations to your DPO

Give your DPO all the necessary resources in order to ensure compliance

Ensure your DPO is actively supported by senior management.

Give sufficient time, financial resources, infrastructure and staff to help the DPO fulfil their duties.

Allow access to other services or business units so that the DPO can receive the essential support, input and information from across the business.

Develop a continuous internal and external (if dealing with third-party controllers and processors) data protection training.

Ensure your DPO is your company’s link to the Information Commissioners Office (ICO)

So they can co-operate with the ICO when dealing with Subject Access Requests (SARs) and be the contact point for the ICO in the matter of SARs.

Put the DPO in a position to perform their duties and tasks in an independent manner.

And remember

  • Your employees have overall responsibility for data compliance.
  • Your DPO must be free from a conflict of interests:
    • They cannot hold a position which leads them to determine the purposes and means of data processing (on a case-by-case assessment).
    • They cannot hold conflicting positions such as: CEO, CFO, CIO, Head of Marketing, Head of HR, but also less senior roles. Independence is absolutely key here.
  • The opinion of the DPO should be given due weight.
  • The DPO must be promptly informed of any form of data breach or any other data-related incident occurs.

How to proceed if you do not appoint a DPO

If you decide that your organisation does not wish to appoint a DPO on a voluntary basis and you do not legally have to appoint a DPO, you can, nevertheless, employ staff or external consultants to the role.

It is, however, important that you ensure that there is no confusion regarding:

  1. Their title.
  2. Their overall status.
  3. Their position.
  4. The tasks that they have been hired to undertake.

Therefore, it should be made clear, in any communications within your organisation as well as with the ICO and your data subjects, that the title of this individual or consultant is not a designated DPO.

If you do go down the route of outsourcing your data protection compliance, make sure that you have some Service Level Agreement (SLA) in place that guarantees that you can comply with the GDPR – not just by ticking the check box of the having an external data protection consultant but that your consultant can respond to your needs and the request of your data subjects.

In general, the more complex and/or sensitive the processing operations of your business, the more resources you should consider giving to the DPO function. This must be effective and sufficiently well-resourced in relation to the data processing being carried out by your organisation.

Understanding the key tasks of your DPO

Your DPO’s main duties will comprise the following:

Monitoring overall compliance with the GDPR (Article 39(1)(b))

Assisting the controllers and/or the processors within your business to monitor internal compliance

Collecting information to identify processing activities

Analysing and checking the compliance of processing activities

Informing, advising and issuing recommendations to the controller or the processor

Another significant task of the DPO is to take responsibility for Data Protection Impact Assessments (DPIA). So where these need to be undertaken, advice should be sought from the DPO as to:

  1. Whether or not to carry out a DPIA.
  2. What methodology to follow when carrying out a DPIA.
  3. Whether to carry out the DPIA in-house or whether to outsource it.
  4. What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects.
  5. Whether or not the DPIA has been correctly carried out and whether its conclusions are in compliance with the GDPR i.e. whether or not to go ahead with the processing and what safeguards to apply.

Paul Gillingwater MBA, CISSP, CISM, RHCE

Associate Partner

GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is Head of IT Security and Data Privacy Team and Registered DPO at xTech and has worked for more than 30 years as a cyber security specialist and advisor to businesses with their governance, regulatory and compliance requirements. More recently he has advised on data protection and is a passionate advocate of online privacy rights education.

Data: Our most valuable resource, without accounting monetary value

Blog 29 Jun, 2022

Data Strategy

Data: Our most valuable resource, without accounting monetary value

29 Jun, 2022

Justice Allotey, Data Strategy Lead
A Machine Learning primer

Blog 11 Feb, 2022

Data Strategy, Data, RPA, AI, Robotics, Machine Learning, CX

A Machine Learning primer

11 Feb, 2022

Smitha Dunwell

Managing Principal

Finding our equilibrium workplace

Blog 28 Sep, 2021

Data Strategy, Data Science & Analytics, Data Visualisation, Data, Data Ethics, Culture

Finding our equilibrium workplace

28 Sep, 2021

Jill Dawson

Head of Marketing

Load More Articles