Some of the hype about the General Data Protection Regulation (the GDPR) has been given renewed focus over the last couple of weeks by the issuing of two Notices of Intent by the Information Commissioner’s Office (ICO) with a nominal value of over £283m. It is worth reiterating what many have already said before me – Marriott International and British Airways, the two organisations involved, may never actually receive a fine. This is only the start of the process and there is a long way to go.
Nevertheless, what this has undoubtedly done is raise the profile of data protection legislation and the newly acquired abilities of the regulator (the ICO) to issue substantially increased fines compared to those available under previous legislation. This will almost certainly result in some discussion in boardrooms and, for those that have yet to appoint a Data Protection Officer (DPO), probably a much more serious discussion about whether or not they should. Even those that don’t need a DPO may still choose to appoint one, or someone specifically responsible for data protection compliance.
If you are newly appointed to the role, the most important point to remember is that you are not alone. While the role of DPO is new to the GDPR, the majority of data protection law requirements have been around for some time in the UK, some since 1984, so there are lots of things we can learn from what has happened under previous legislation.
It is likely to seem like a daunting task at first and I think that most would agree that there is a huge amount of information to take in before you can even think about applying it. Data protection has also suffered from significant volumes of misinformation that need to be sifted out so where do you start if you are given the role of DPO?
This article provides some basic advice as well as links to reliable sources for those new to the DPO role as well as for those responsible for managing data protection compliance. This draws on my own experiences of working with data protection for the past 20 years, including as a DPO for a number of organisations since 25 May last year.
What is a Data Protection Officer?
A DPO is a role established by the GDPR with specific tasks and responsibilities laid down by the legislation. The role is required by an organisation (either a controller or processor1) where:
- They are a public authority except for courts acting in their judicial capacity;
- The core activities of the organisation require regular and systematic monitoring of data subjects on a large scale. One example of regular and systematic monitoring will be CCTV but there are lots of others;
- The core activities consist of processing on a large scale of special categories of personal data (Article 9 of the GDPR) or personal data relating to criminal convictions and offences (Article 10). Special categories of personal data include medical information, racial or ethnic origin, religious beliefs and trade union membership along with others.
If you haven’t already, it may be helpful to review the guidance issued by the Article 29 Working Party, endorsed by European Data Protection Board on the role on the DPO as it expands on several important points, including the need to avoid a conflict of interest when making the appointment. It also helps with interpretation of key terms such as “large scale”, and discusses the need to conduct a data protection impact assessment to determine whether you need a DPO if it is not clear in terms of the legislation.
I would recommend that you don’t call yourself a DPO unless the law specifically requires your organisation to have one, or a decision has been made at board level or equivalent that your organisation should have one. If you call yourself a DPO, both you and your organisation must then comply with all aspects of the law for DPOs.
What do I need to do?
There is no set job description and the role is likely to differ according to sector, size and a range of other factors. However the GDPR lays down a number of tasks (Article 39) that have to be completed by the DPO as a minimum:
- To advise the organisation that you work for as well as their employees about their obligations under the GDPR and other data protection law;
- Monitor compliance with the GDPR and other data protection law as well as with the policies of your organisation that relate to the protection of personal data. The legislation mentions the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- Provide advice on data protection impact assessments and monitor their performance in terms of ensuring compliance with the GDPR;
- Cooperate and act as the point of contact with the supervisory authority. In the UK this will be the Information Commissioner’s Office.
When carrying out their tasks, the GDPR requires the DPO to have due regard to the risk associated with processing operations. It is also worth noting that the DPO must be accessible to data subjects and is bound by secrecy and confidentiality regarding the performance of tasks.
There are other responsibilities placed on the controller or processor with regard to the DPO and you can find out more about these in the GDPR as well as the EDPB guidance referred to above.
Who I am responsible to?
The DPO should report into the highest level of your organisation, which is usually board level. Further information about this is available from the ICO’s website. It should be noted that there is nothing in the legislation or the EDPB guidance that allows the role to be delegated by an existing board member that is, in effect, DPO in name only although that is an approach a number of organisations seem to have taken. The organisation must also ensure that the DPO is does not receive any instructions regarding the exercise of their tasks.
What skills and competencies should I have?
The GDPR states that the DPO …”shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”…, as well as being able to fulfil the tasks listed above.
I am sure it goes without saying but for the avoidance of doubt, anyone in the role of DPO should have at least a basic knowledge of data protection laws, and an understanding of how the law is applied is a must. That said, these are skills that the vast majority of us have learnt once in the job but it is really helpful to familiarise yourself with reference materials (including codes of practice) and applicable legislation. As highlighted above, make sure the information you are using is from a trusted and reliable source.
To comply with the requirements of legislation, information governance skills are likely to be very helpful, with business knowledge of the organisation you are working for essential. As yet, the ICO hasn’t issued any additional guidance for the UK although you may find it useful to look through the frameworks of competence published by the Spanish and French authorities. These are fairly consistent in the areas of competence that they are expecting a DPO to have. We are going to cover the area of emerging required competencies of DPOs in a later blog.
Is being a DPO a permanent role and can I do it alongside what I am doing?
Assuming your organisation meets the criteria for requiring a DPO, it will be an ongoing legal obligation although whether it is introduced as a permanent role will decided by your organisation. The legislation specifically allows for the role to be an employee or to be contracted in as a service. If you are going to contract in a service, make sure you undertake the necessary due diligence.
The role can be fulfilled by someone with other responsibilities although, as mentioned above, there cannot be any conflict of interest between the two roles that you might have, for example, it is unlikely that the role of DPO could be held by the Head of HR or the Head of IT, or equivalent roles in your organisation.
Are there any associations that I could join?
Some of the organisations that provide support for compliance with data protection laws include:
What training is available?
If you are looking to formally develop competencies, there is a wide range of training available. Again, make sure you do your due diligence to make sure any events you decide to attend is going to provide what you need it to. Note that there are no certifications under the GDPR in the UK, at least not yet, and there are unlikely to be any for training for DPOs.
Tkm offers a number of data protection qualifications that are certified by the BCS or the SQA, one of the UK’s qualification’s regulators.
Tkm’s courses include:
- Diploma/Certificate in Managing Data Protection Compliance
- Certificate in Data Protection Compliance
- BCS Foundation Certificate in Data Protection
- BCS Practitioner Certificate in Data Protection
Courses are run throughout the UK and can also be delivered in house. In house training can be fully customised according to the needs of your organisation. Please don’t hesitate to contact us if you would like to discuss your requirements. The IRMS also has other training partners that provide courses on a range of information governance topics – see Leadership Through Data.
1 – controllers and processors are defined by the GDPR. A controller determines the means and purposes of processing personal data, and a processor processes personal data on behalf of the controller. If you are regularly processing personal information, you are likely to be either a controller or processor or both. See the ICO’s website for further information.