A key change being brought in by the GDPR is the requirement under Article 38 for certain groups of companies to appoint a Data Protection Officer (‘DPO’). Some member states, such as Germany, already have national legislation requiring the appointment of a DPO however the GDPR helps standardise the use of DPOs across all member states.
Definition under the DPA
The DPA does not impose any obligation on organisations to appoint a DPO.
Definition under the GDPR
A Data Protection Officer is required to have expert knowledge or data protection laws and practices and must report directly into the highest management level of a controller or processor.
The GDPR requires that an organisation appoints a DPO where it is a :
- Public authority or body (excluding the courts);
- Private company where the “core activities” of the company include:
(a) a large scale, regular and systematic monitoring of individuals (such as online behaviour tracking);
(b) large scale processing of special categories of data or data relating to criminal convictions and offences.
The draft Data Protection Bill is also likely to require DPOs to be appointed by all law enforcement agencies, and organisations whose “core activities” include processing criminal record data.
Article 39 sets out the following minimum tasks for a DPO:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations
(b) to monitor compliance with this Regulation, including the assignment of responsibilities, awareness-raising and training of staff and the related audits
(c) to provide advice where requested as regards the data protection impact assessments
(d) to cooperate with the supervisory authority
(e) to act as the contact point for the supervisory authority.
What does the GDPR definition really mean?
The DPO is responsible for advising organisations about their obligations under the GDPR as well as monitoring compliance. As part of their role in ensuring compliance, they may be involved in managing internal data protection activities, advising on DPIAs, training staff and conducting audits. The DPO should be the first point of contact for supervisory authorities and individuals whose data is processed.
The DPO should be appointed for their expert knowledge on data protection law and practices and they should be provided with the appropriate resources to carry out their tasks.
What are the significant differences between the DPA and the GDPR?
Under the DPA, organisations are not required to appoint a DPO. Instead, controllers are required to notify their data processing activities with local data protection agencies. For international companies this can be extremely difficult as local agencies may have different notification requirements.
The GDPR harmonises the use of DPOs across the member states and removes the obligation to submit notifications and registrations to local agencies. Instead, the GDPR will require companies to keep adequate internal records and appoint a DPO where a company’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
What effect will this have on UK businesses?
The DPO requirement is one of the key significant changes being brought in under the GDPR and is likely to have a big effect on UK businesses as many companies will fall into a category and will need to appoint a DPO.
In the UK, the appointment of DPOs has been entirely voluntary so the biggest impact on UK businesses will be the difficulty of recruiting a DPO with enough experience of the new regulations, of data protection laws and enough knowledge of the way their business operates. It is thought that there may be an insufficient number of suitably experienced candidates to fill all of the vacancies which will arise as a result of the new rules.
One solution may be to appoint an internal candidate to act as the DPO. The challenge in this approach will be ensuring that the DPO is not in conflict with any of their other duties and to ensure that they are able to exercise their functions in an independent manner. Controllers (or processors if relevant) are not permitted to give any instructions to the DPO about the exercise of their tasks, nor are they permitted to dismiss or impose any penalty on the DPO.
Whilst on one hand the requirement to appoint a DPO can seem like an additional burden on businesses, it can vastly improve the company’s compliance with data protection regulations.
What will my business need to do?
Whether this change will affect your business will depend on whether or not your circumstances mean you are required to appoint a DPO.
If you do, you should consider hiring early to give your DPO time to settle in and get to know your business before the regulations come into force. You should ensure all of your senior staff members are aware that they are not permitted to give instructions to the DPO or impose any penalty on them. If your DPO is an internal hire, you should also ensure adequate provisions are in place to minimise any risk of conflict between their duties.
What happens if I do not appoint a DPO?
Failure to appoint a DPO where required can lead to significant ramifications. Administrative fines can be as high as €10,000,000 or 2% of the company’s worldwide turnover, whichever is higher.
My company is part of a group of companies; do we need a DPO each?
No, you may appoint a single officer to be shared by all of the companies in the group provided that the DPO is easily accessible by each organisation. This also applies in the case of public bodies and authorities, taking account of their size and structure.
My company is a private organisation but we carry out public tasks, do we need a DPO?
There is no definition of ‘public authority or body’ in the GDPR as this is determined under national law. The Article 29 Working Party recommends that, as good practice, private organisations carrying out public tasks or exercising public authority should appoint a DPO. Examples of these include public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.
Can I appoint a DPO from my existing employees?
Yes, so long as their roles are compatible and do not lead to a conflict of interests. You should bear in mind the requirement to appoint a DPO with sufficient expertise in data protection law.
Can I voluntarily appoint a DPO, even if the GDPR says I don’t need one?
Yes, but they will then be subject to the same rules as mandatory DPOs.
Then can I appoint somebody who is responsible for data compliance that isn’t a DPO?
Yes, and the current guidance is that as long as they are more-generally responsible for regulatory compliance issues, and don’t call themselves a DPO, then it is unlikely that the mandatory DPO rules in the GDPR will apply to them.
Is the DPO personally liable for any breaches?
No. Responsibility for compliance belongs to the controller or the processor and not the DPO.
- DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
- GDPR means the General Data Protection Regulation, the EU law that now is in place of the Data Protection Act 1998.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- Data processor means a person or organisation who processes the data on behalf of the controller
- DPIA means a data protection impact assessment
This briefing is based on the law as it stands in February 2018. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.