A lot of the advice we provide around data protection compliance concerns the importance of being able to illustrate the steps you have taken to comply with the data protection regime as it applies to your business.
Accountability is one of the key principles of the UK/EU GDPR (“GDPR”) and appointing a data protection officer (DPO) that has the relevant knowledge and expertise is one of the ways you can show you are accountable to the individuals whose data you process. Although the GDPR doesn’t oblige every business to employ a Data Protection Officier (“DPO”), a good rule of thumb is to assume that you do need a DPO unless you can clearly demonstrate that the GDPR requirements for appointing a DPO don’t apply to you.
Here we examine the roles and responsibilities of the DPO within an organisation, ask whether you need to appoint one. A common conclusion for many businesses is to outsource the role to a DPO as a service provider to oversee your data protection practices.
We'll consider the following:
- What is a data protection officer responsible for?
- Do I need a data protection officer under GDPR?
- Do you have to appoint a DPO if you’re not legally obliged to?
- Who can be a data protection officer?
- Can someone from your existing team be appointed DPO?
- Could you outsource the role of data protection officer?
- By appointing a DPO, does that make them solely responsible for data protection compliance?
- What protocols should you put in place to make sure your data protection officer is complying with GDPR?
What is a data protection officer responsible for?
A data protection officer (DPO) should be the go-to person for all data protection issues within an organisation. Your staff should be able to rely on the DPO’s expertise when data protection issues arise and the general public should be able to contact the DPO directly about the data processing activities of your business. For example, the data protection regulator such as the Information Commissioner’s Office (ICO) which is the UK data protection authority will also want to correspond with the DPO.
The roles and responsibilities of the DPO are set out in Article 39 of the UK/EU GDPR. These are:
- To inform and advise controllers, processors, and employees of their data protection obligations.
- To monitor GDPR compliance within an organisation, develop staff training and awareness-raising and advise on data protection audits.
- To provide advice on data protection impact assessments (“DPIAs”).
- To liaise with the data protection regulator when necessary and act as a formal contact with the regulator on all issues relating to data processing.
A DPO must always bear in mind the risks associated with any processing activities while carrying out their functions.
Do I need a data protection officer under GDPR?
A DPO helps organisations minimise the risks inherent in processing personal data. With the various sanctions available to the ICO under the GDPR this is more important now than ever before. But many of our clients – particularly some small and medium-sized businesses – think that appointing a DPO is a disproportionate expense when they only handle a small volume of data or when the data they do process is not overly sensitive. Under GDPR you have no choice about appointing a DPO if:
- You are a public authority.
- Your core activities require large scale, regular and systematic monitoring of individuals.
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
To determine your ‘core activities’ you need to consider whether you need to process personal data in order to meet your primary business objectives. If you do then your processing of data is a core activity requiring you to appoint a data protection officer.
‘Special categories’ of data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, sex life or sexual orientation and health data.
Whether you need to appoint a DPO under the GDPR does not depend on the size of your business or the number of employees you have. There’s no exemption or get-out for SMEs in this regard. What matters is the nature and amount of data you process.
Do you have to appoint a DPO if you’re not legally obliged to?
If the requirements of the GDPR about appointment of a DPO don’t apply to your business do you still need to consider employing one?
You might not process sensitive information for example, or you may only process the information of a small number of individuals. In these situations, while appointing a DPO might not be necessary you still have to meet all your obligations under GDPR – and a DPO can help you ensure compliance by monitoring regularly, advising staff and increasing awareness within your company of all relevant data security issues.
One thing is clear however: if you decide you aren’t going to appoint a DPO you should record your reasons for not doing so. This will enable you to defend your decision if asked to do so by the data protection regulators.
Who can be a data protection officer?
The GDPR doesn’t set out any specific qualifications a DPO needs to have. But when recruiting a DPO for your organisation it’s important to employ someone with appropriate experience and understanding of data protection law and how it applies to the particular industry sector you operate in. A DPO should have appropriate expertise to deal with the issues raised by the type of data you process, So if you are processing a significant volume of highly sensitive data your DPO should have an advanced understanding of all of the issues likely to arise.
Remember too that when engaging a DPO, that person will be your organisation’s main contact for the ICO and the public. They should have excellent communication and interpersonal skills and be able to bring all of your staff together in promoting a data secure workplace.
Can someone from your existing team be appointed DPO?
Yes. You don’t necessarily need to hire an external candidate as your DPO. If an employee has the requisite experience and the appointment as DPO wouldn’t conflict with other responsibilities, they may have you can redeploy that employee as your DPO.
Could you outsource the role of data protection officer?
The complexities of GDPR compliance coupled with the potential damage to a business when there is a data breach can make it particularly advantageous to smaller businesses, to outsource the DPO role to a professional services company that specialises in data protection. The mixture of combined experience and expertise from a service company that specialises in data protection will provide additional breadth and depth of practical knowledge to steer your business in the right compliant direction.
For companies that use external DPOs, payment of a monthly fee provides the peace of mind that they are GDPR compliant. However, businesses that do outsource the DPO function must remember that the external service company must be given the same role and responsibilities as if your DPO was an employee of the business. External DPOs may also have some form of certification demonstrating they are qualified to act as a DPO.
By appointing a DPO, does that make them solely responsible for data protection compliance?
Appointment of a DPO does not divest the business owner (the data controller and processor) of responsibility for GDPR compliance. The DPO won’t be liable for a breach if one occurs. Instead, the DPO works to minimise the chance of a breach, or help mitigate if there is one, and encourage best data protection practice within your organisation. Ultimately the controller i.e. the business will have responsibility for data protection.
What protocols should you put in place to make sure your data protection officer is complying with GDPR?
Article 38 of the GDPR imposes an obligation on data controllers and processors within organisations to support data protection officers with sufficient resources to carry out their tasks. This includes ensuring the DPO has access to personal data and processing operations and is facilitated in maintaining their expert knowledge. In practice, to ensure you are adequately supporting the DPO in performing their functions under GDPR you should:
- Engage the DPO closely in all data protection matters.
- Provide the DPO with the resources and training needed.
- Require the DPO to report regularly to the board or similar management group. Ideally the DPO should have direct access to the most senior management when required.
- Enable the DPO to act independently.
- Ensure the DPO is not prejudiced for carrying out the role. Remember often the DPO will have to act at arm’s length from colleagues and this can give rise to tensions and conflict.
Observing protocols like these demonstrates that as a business you take seriously the role of the DPO and data protection compliance generally.