A key change brought in by the GDPR is the requirement under Article 38 for certain groups of companies to appoint a Data Protection Officer (‘DPO’). Some member states, such as Germany, already had national legislation requiring the appointment of a DPO however the GDPR helped standardise the use of DPOs across all member states.
Definition under the GDPR
A Data Protection Officer is required to have expert knowledge or data protection laws and practices and must report directly into the highest management level of a controller or processor.
The GDPR requires that an organisation appoints a DPO where it is a:
- Public authority or body (excluding the courts);
- Private company where the “core activities” of the company include:
(a) a large scale, regular and systematic monitoring of individuals (such as online behaviour tracking);
(b) large scale processing of special categories of data or data relating to criminal convictions and offences.
The Data Protection Act 2018 in the UK imposes the obligation to appoint a DPO under s69 – s71 in relation to law enforcement processing.
Article 39 sets out the following minimum tasks for a DPO:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations
(b) to monitor compliance with this Regulation, including the assignment of responsibilities, awareness-raising and training of staff and the related audits
(c) to provide advice where requested as regards the data protection impact assessments
(d) to cooperate with the supervisory authority
(e) to act as the contact point for the supervisory authority.
What does the GDPR definition really mean?
The DPO is responsible for advising organisations about their obligations under the GDPR as well as monitoring compliance. As part of their role in ensuring compliance, they may be involved in managing internal data protection activities, advising on DPIAs, training staff and conducting audits. The DPO should be the first point of contact for supervisory authorities and individuals whose data is processed.
The DPO should be appointed for their expert knowledge on data protection law and practices and they should be provided with the appropriate resources to carry out their tasks.
The GDPR harmonised the use of DPOs across the member states and removed the obligation to submit notifications and registrations to local agencies. Instead, the GDPR requires companies to keep adequate internal records and appoint a DPO where a company’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
The DPO requirement was one of the key significant changes brought in under the GDPR and Many companies fall into a category and need to ensure that they have appointed a DPO.
What must my business do to ensure compliance?
If your business requires a DPO you must ensure that you either appoint one or have a contract with an external individual or organisation who will act as your DPO. , You should ensure all of your senior staff members are aware that they are not permitted to give instructions to the DPO or impose any penalty on them. If your DPO is an internal hire, you should also ensure adequate provisions are in place to minimise any risk of conflict between their duties. You must publish the contact details of your DPO and provide the details to the ICO (you do not have to publish their name, but may choose to do so).
What happens if I do not appoint a DPO?
Failure to appoint a DPO where required can lead to significant ramifications. Administrative fines can be as high as €10,000,000 or 2% of the company’s worldwide turnover, whichever is higher.
What are ‘core activities’?
Core activities “relate to [an organisation’s] primary activities and do not relate to the processing of processing of personal data as ancillary activities” (Recital 97, GDPR). Primary activities are those which you need to achieve your businesses key objectives, rather than activities which are ancillary to this. For most businesses the processing of payroll or HR information is likely to be a secondary purpose, and not part of your core activities. However, a HR service provider will process payroll and HR information as a core activity.
What does ‘regular and systematic monitoring’ mean?
This is not defined in the GDPR, however guidance issued by the EDPB states that ‘regular and systematic monitoring’ includes all activities which involve profiling and tracking customers (whether online or offline). An example of this is behavioural advertising, customer loyalty programs, or apps and other devices which track a user’s location or physical activities.
What is considered ‘large scale’?
Again, this is not defined in the GDPR. When determining if processing is on a large scale, guidance issued by the EDPB advises taking into account the following factors:
- the numbers of data subjects concerned;
- the volume of personal data being processed;
- the range of different data items being processed;
- the geographical extent of the activity; and
- the duration or permanence of the processing activity.
My company is part of a group of companies; do we need a DPO each?
No, you may appoint a single officer to be shared by all of the companies in the group provided that the DPO is easily accessible by each organisation by both management and employees, and also externally to individual data subjects and relevant supervisory authorities. This also applies in the case of public bodies and authorities, taking account of their size and structure.
My company is a private organisation but we carry out public tasks, do we need a DPO?
There is no definition of ‘public authority or body’ in the GDPR as this is determined under national law. The Article 29 Working Party recommends that, as good practice, private organisations carrying out public tasks or exercising public authority should appoint a DPO. Examples of these include public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.
Can I appoint a DPO from my existing employees?
Yes, so long as their roles are compatible and do not lead to a conflict of interests. You should bear in mind the requirement to appoint a DPO with sufficient expertise in data protection law.
Can I voluntarily appoint a DPO, even if the GDPR says I don’t need one?
Yes, but they will then be subject to the same rules as mandatory DPOs.
Then can I appoint somebody who is responsible for data compliance that isn’t a DPO?
Yes, and the current guidance is that as long as they are more-generally responsible for regulatory compliance issues, and don’t call themselves a DPO, then it is unlikely that the mandatory DPO rules in the GDPR will apply to them.
Is the DPO personally liable for any breaches?
No. Responsibility for compliance belongs to the controller or the processor and not the DPO.
- EDPB means the European Data Protection Board
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means a person or organisation who processes the data on behalf of the controller
- DPIA means a data protection impact assessment
This does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.