With just over a year to go until the implementation of the General Data Protection Regulation (GDPR) one of the tasks to get started with for certain types of organisations is the appointment of a Data Protection Officer (DPO).
The Article 29 Data Protection Working Party (WP29) has recently published some useful guidance (5 April 2017) that describes the DPO as being at the “heart of this new legal framework”, and this blog summarises key elements of the guidance and associated annex.
Who is required to appoint a DPO?
There are 3 cases where it is mandatory for a DPO to be appointed by a Controller and a Processor (Article 37(1)):
- Where the processing is carried out by an organisation considered to be a public authority or body except for courts acting in their judicial capacity. The WP29 guidance suggests that, as good practice, private organisations carrying out public tasks (such as energy supply, public housing and others) should also designate a DPO.
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. The WP29 guidance defines “core activities”, “large scale”, as well as what constitutes “regular” and “systematic”, and discusses useful examples such as the use of closed circuit television.
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories (Article 9) of data or personal data relating to criminal convictions and offences. As above, the WP29 guidance has some useful examples of what processing is likely to fall within this definition.
Unless obvious, the WP29 guidance recommends organisations should conduct “internal analysis” to determine whether a DPO is to be appointed.
If a DPO is not mandatory for our organisation, should we still appoint one?
Organisations can voluntarily appoint a DPO. However, it should be noted that the WP29 guidance states that where a DPO is designated on a voluntary basis, the requirements laid down under Articles 37 to 39 will apply as if the designation had been mandatory. This means that if you do not have to appoint a DPO, roles should only be given the title of DPO if they will be tasked with all obligations laid down in the Articles above. They are also responsible for all processing operations carried out by the organisation with regard to personal data, meaning that you cannot be selective about which processes the DPO may cover.
What are the DPO’s responsibilities?
Tasks of the DPO are laid down by Article 39(1) and are summarised below. These are to:
- Inform and advise the Controller or the Processor and the employees who are processing personal data of their obligations under the GDPR;
- Monitor compliance with the GDPR;
- Provide advice regarding data protection impact assessments and monitor their performance;
- Cooperate with the supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK;
- Act as the contact point for the ICO on issues related to the processing of personal data.
Article 39(2) requires the DPO to have a risk-based approach to undertaking their duties, taking into consideration the nature, scope, context and purposes of processing operations. The accessibility of the DPO should also be effective, with the controller or processor required to publish the contact details of the DPO and also provide them to the ICO.
It is important to note that a DPO is not personally responsible for compliance with the GDPR. This remains the responsibility of the Controller or Processor (Article 24(1)). There are additional organisational responsibilities with regard to the DPO and these will be covered in a later blog.
Who can be a DPO?
Article 37(5) states that the DPO, who can be a staff member or contractor, “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. The WP29 guidance states that although required level of expertise is not defined, “it must be commensurate with the sensitivity, complexity and amount of data an organisation processes”.
It is worth noting that although Article 38(6) allows DPOs to “fulfil other tasks and duties”, an organisation must ensure there is no conflict of interest. The WP29 guidance suggests this will depend on each organisation although may preclude senior management such the Chief Executive, Chief Financial Officer, Head of Human Resources, and Head of IT amongst others from the role of DPO.
What should I do next?
The first step is to identify whether a DPO is required in your organisation and, if so, who should fill the role. You should check the text of the GDPR, the WP29 guidance, and also the information available from the Information Commissioner’s website on DPOs to make sure you understand how these requirements will apply to your organisation.
You can then begin the process of recruitment, contracting and training new and existing staff as appropriate. It is essential that your organisation has developed the necessary competencies to comply with the GDPR by 25 May 2018. Training is a key organisational measure in preparing for the GDPR and Tkm can help. If you are interested in training for DPOs please contact us.
Tkm is in the process of adding accredited data protection qualifications to their portfolio and also delivers in house training that can be fully customised according to your business sector and the individual learning needs of your staff.
Look out for our next blog which will provide some guidance on choosing the right training for your organisation, helping to ensure best value for money.
The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.
exploit – protect – comply