Carbon Law Partners’ GDPR | Data Protection expert Jon Moore guides us through what we need to know about Data Protection Officers.
WHAT IS A DATA PROTECTION OFFICER?
A Data Protection Officer (DPO) is the person appointed by an organisation to oversee its compliance with data protection laws.
It’s the DPO’s role to be involved in all issues relating to data protection. Some organisations are obliged to appoint a DPO but for others the appointment of a DPO is voluntary.
DO I NEED A DPO?
You will need to appoint a DPO if you fall within one of the following three categories. This is regardless of whether you’re typically acting as a controller* or processor.
1. If you’re a public authority or public body
Under the new Data Protection Act 2018, ‘public authority / public body’ broadly adopts the same definition which is used in the Freedom of Information Act 2000 (with a few exemptions).
2. If your core activities require large-scale, regular and systematic monitoring of individuals
Your ‘core activities’ are your primary business activities (rather than ancillary activities in support of your organisations). Whether the processing is ‘large scale’ will depend on the number of individuals whose data is being processed, the volume and range of data, the geographical extent of your activities and the duration of your activities.
‘Monitoring of individuals’ might include tracking and profiling activities such as behavioural advertising. Online retailers who monitor the online activities of its website users to offer targeted recommendations may well fall under this category and therefore need to appoint a DPO.
3. If your core activities consist of large-scale processing of special category data (such as health data)
Large-scale use of special category data could include those organisations of a reasonable size which operate in the healthcare sector where they use wide-ranging health information about a significant number of individuals.
Even if you are not required to appoint a DPO, you might still want to appoint one anyway to demonstrate (and help you achieve) a thorough approach to data protection compliance. It’s worth highlighting that where you appoint a DPO voluntarily, you will still have to comply with the same GDPR requirements relating to DPOs that apply where the appointment is mandatory.
OR NOT TO APPOINT?
If you decide not to appoint a DPO, it is still important to ensure that you have sufficient staff, skills and compliance processes to ensure you meet the various obligations imposed by the GDPR. Where you decide not to appoint a DPO, the ICO recommends that you record why you came to this decision to help you demonstrate compliance with the accountability principle.
WHAT DOES A DPO DO?
The tasks of the DPO are prescribed by Article 39 of the GDPR and include:
- To inform and advise the organisation on its obligations to comply with data protection law
- Monitor compliance with data protection laws and also with the organisation’s own data protection policies and procedures
- Raising awareness with staff about data protection issues
- Providing staff training
- Conducting internal audits of data processing activities
- Advising on data protection impact assessments
- Cooperating with the ICO
- Being the first point of contact for the ICO and individuals whose data is being processed by your organisation
WHO SHOULD I PICK TO BE MY DPO?
- The DPO is required to report to the highest level of management.
- They must operate independently and have adequate resources to carry out their tasks.
- They need to have professional qualities, experience and expert knowledge of data protection laws and practices.
- He/she can be an existing employee or appointed externally. Where an existing employee is assigned the role of DPO, it’s essential that their existing role and duties do not conflict with their role as DPO.
- The DPO’s other role can’t be one that leads him or her to determine the purposes and means of processing personal data (which will often rule out many department heads in your organisation).
- The DPO also shouldn’t be expected to manage competing objectives which could result in data protection taking a secondary role to business interests (which would likely rule out finance and marketing directors).
WHAT ARE THE ADVANTAGES OF APPOINTING A DPO?
‘Accountability’ is one of the new data protection principles at the heart of the GDPR. It’s all about demonstrating your compliance with data protection laws. Appointing a DPO voluntarily is just one way you demonstrate that you are taking data protection seriously (both to the ICO and to your customers) and are doing what you can to comply with data protection laws.
WHAT CARBON CAN DO TO HELP.
Carbon Law Partners offer an external DPO service. We can act as a DPO for organisations who would like to appoint a DPO but decide not to appoint the role internally. As a law firm with significant experience in data protection, we have the requisite experience and expert knowledge of data protection laws and practices required by the GDPR.
*A controller is a person or organisation which determines the purposes for which and the manner in which data is used. A processor simply uses personal data on behalf of the controller.