The Data Protection Officer role has existed for some time, but GDPR will make the appointment of a DPO mandatory (it will also be a great help navigating PECR). As with all aspects of GDPR compliance, it’s not immediately obvious which businesses will require a DPO.
What is a Data Protection Officer?
A DPO will act as a link between your organisation and the public for all queries and concerns regarding how their personal data is used and stored. Article 37(5) states “The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”- in essence a mini job description.
The essential duties of the DPO will be informing your organisation and employees of their data protection obligations, monitor compliance and provide data protection impact assessments (DPIAs), alongside other duties such as training and liaising with the relevant authorities. GDPR also specifies that this role should be a senior one, as a DPO must report to the highest level management and be provided with all resources they need.
Do you need to hire a DPO?
There are key points that help define whether your organisation needs a DPO, but before going into those remember that the official view of the Article 29 Working Party (a committee made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission) is that it will be down to you to prove you don’t need a DPO. Aside from this, if your business follows any of the following three scenarios in its practices, you’ll require a DPO.
– The processing is carried out by a public authority;
– The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
– The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions/offences.
While some of the specifics remain unclear, some light has been shed on a few of the key terms. “Public Authority” is not defined within GDPR but under UK law constitutes ministerial departments, authorities working in the public interest, such as the Crown Prosecution Service and other public bodies like the DVLA.
‘Core opportunities’ has been clarified to mean activities that “‘form an inextricable part of the controller’s or processor’s activity”. So if your business uses data on a regular basis as a key part of their business model, you’ll need a DPO. The “large scale” of these scenarios is also undefined, but the WP29 take into account the number and geographical locations of subjects, the volume of data and the processing time of it.
And remember that while there was originally some confusion about whether SME’s would be exempt it has since been clarified that there will be no DPO exemption for smaller businesses.
Proactivity is key to staying compliant
Even if you’re not required to hire a DPO under GDPR it’s something to keep on your radar in order to stay compliment in a data-orientated future. An individual in your company can take on the DPO mantle on a voluntary basis in addition to their normal role, but the regulations state that a voluntary DPO will be held to exactly the same requirements as a full-time officer.
Would you like to discuss the implications of GDPR, PECR or the hiring of a DPO & other Data professionals on your organisation in greater detail? Contact our Data team.