In the latest article of the GDPR series, Razia Begum and Rachel Ashwood examine the specialist role of the Data Protection Officer (‘DPO’) and answer the questions that employers are asking about appointing one.
1. What is a DPO?
The specific role of the DPO is not strictly defined in the General Data Protection Regulation (‘GDPR’). However, what is clear is the broader role of a DPO, which is to deal with ‘all issues which relate to the protection of personal data’.
In reality, the DPO will be the key contact in the business for anything and everything GDPR and data privacy related. In practice, the DPO will be responsible for a number of important tasks, including:
- being a general advisory source to all those in the business;
- monitoring compliance with the GDPR and liaising with the controller (those who specify how and why personal data is processed, which in the case of HR data will be the employer) or processor (those who actually process the personal data);
- advising on data policies and providing related training;
- conducting and advising on data protection impact assessments in the business;
- acting as a point of contact for the Information Commissioner’s Office (‘ICO’), any other supervisory authority as well as for individuals whose data is being processed;
- prioritising tasks to ensure high-risk processing activities are under control; and
- any other function appointed to it by the controller or processor, such as keeping records of processing operations.
At all times whilst the DPO is carrying out their duties they should remain independent, as their role is similar to an auditor.
2. Do I need a DPO?
Under the GDPR it is compulsory for employers to appoint a DPO if they fall within one of the following three categories:
- where the processing is carried out by a public authority or body (e.g. councils, government departments and emergency services);
- where the core activities of the controller or processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale (e.g. processing personal data to tailor online advertising or tracking travel card users); or
- where the core activities of the controller or processor consist of processing on a large scale, special categories of data or personal data relating to criminal convictions and offences (e.g. background checking companies).
Even if your business is not caught by the categories above, the GDPR still places a duty on controllers and processors to have sufficient staff and skills in place to meet their obligations. From a practical standpoint, the voluntary appointment of a DPO could reduce the burden on other areas of the business, such as IT and HR, and improve overall compliance.
As individual Member States can provide for other circumstances in which a DPO is required, it is worth keeping up to date with guidance from the ICO – something which we will continue to cover in this series.
3. Who should I appoint as DPO?
Employers should consider whether it is best to allocate the duties of the DPO to an existing employee, make a new appointment or outsource the role entirely (for example to a contractor or consultant).
Whilst the DPO does not need any specific qualifications, employers should consider appointing an individual with a solid grounding in data protection law and a thorough understanding of the ways that a business such as yours typically handles personal data. Furthermore, as the DPO will liaise with management at the highest level, employers need to appoint someone with good communication skills.
Official guidance from the EU’s Article 29 Working Party suggests a DPO should have the following skills and experience:
- expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
- understanding of the processing operations carried out;
- understanding of information technologies and data security;
- knowledge of the business sector and the organisation; and
- the ability to promote a data protection culture within the organisation.
However, employers should bear in mind the size and nature of their businesses as well as the extent of their processing activities. For example, appointing a DPO may be overkill for most small business or low turnover start-ups where financing a DPO position would be a struggle in a highly competitive market. However, it may be entirely necessary and justified if such businesses process large volumes of patient records or customer insurance data.
The DPO must also act in an independent manner without specific instructions from the controller or processor as to how they perform their duties and tasks. For example, they must be able to liaise with the ICO or investigate a potential data breach without fear of being penalised or dismissed. Given the special nature of the role, DPOs should not be appointed if there is potential for a conflict of interests. Therefore, it is particularly important that an internal appointment does not create a conflict of interest with their other role and duties to the business.
There is nothing to prevent DPOs from working part-time, as long as the role is not neglected. Once the DPO is appointed, their core duties and working arrangements should be documented appropriately, as you would for any other appointment. However, as this is a new role, consider the use of trial periods and ensure that regular review meetings are held during this initial period, to ensure the DPO is meeting the expectations of the business.
4. How should I support the DPO?
The best way to support a DPO is to provide adequate time and resources for them to perform their duties. As above, this should include any relevant safeguards required to allow them to act independently.
In practice, employers should make sure that there are clear channels of communication between the DPO and other areas of the business. The DPO should where possible be invited to senior management meetings – especially if there are data protection and compliance issues to consider.
If appropriate, employers should offer on-going training to the DPO and provide a platform for the DPO to educate the wider workforce about GDPR compliance. Again, the size and nature of your business will be relevant when considering the kind of resources the DPO requires.
5. What happens if I don’t appoint a DPO?
As mentioned in a previous article, the consequences for non-compliance with the GDPR are eye-watering. Whilst it seems unlikely that the failure to appoint a DPO will in itself result in a large fine from the ICO, the broader potential risks for non-compliance with the GDPR are too great for employers to overlook. Crucially, in the relevant Article 29 Working Party guidelines, emphasis is placed on the DPO not being personally responsible for non-compliance with the GDPR. Accordingly, any consequences of non-compliance will fall on the relevant controller or processor.
Employers need to ensure they make the right appointment. In particular, those engaging in complex or sensitive processing operations should make sure their DPO is equipped to deal with the challenges ahead. However, even in circumstances where a DPO is not strictly required, employers should give careful thought to a voluntary appointment, to help avoid the consequences of non-compliance.
The UK government’s commitment to the GDPR featured strongly in the Queen’s speech at the opening of the new session of Parliament. In her speech, which set out the government’s legislative plan for the next session, the Queen confirmed that the GDPR (as well as a new EU law enforcement Directive) will be implemented in the UK by means of the Data Protection Bill which, when it comes into force, will replace the 1998 Data Protection Act. One of the key practical effects of the new Bill, is that it will ensure that the provisions of the GDPR, will be enshrined in English law, even after Brexit takes effect.
Read the previous article in the GDPR series – How to Conduct a HR Data Audit