#AtoZofGDPR - D is for Data Protection Officer
Following the implementation of GDPR lots of questions have been asked around Data Protection Officers and whether your organisation needs to employ a Data Protection Officer (DPO).
Article 37 of the GDPR requires certain organisations appoint a DPO. Satisfying the demands laid out in the GDPR is not easy. The list of tasks will be familiar to anyone who has worked in Data Protection for some time however, the concept of independence in the DPO role under the GDPR is new.
What is a DPO?
The DPO takes an independent monitoring and advisory role informing you of your data protection obligations and supporting your compliance.
They are the point of contact for data subjects and the your relevant supervisory authority.
They provide advice regarding Data Protection Impact Assessments (DPIAs). A DPIA must be carried out where a planned or existing processing operation “is likely to result in a high risk to the rights and freedoms of individuals”.
The Data Protection Officer (DPO) role is an important evolution of the GDPR and a cornerstone of the GDPR’s accountability-based framework for compliance. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).
A DPO may be a member of staff at the 'appropriate level' with the appropriate training, an external DPO, or one shared by a group of organisations, which are all options provided for in the GDPR. The DPO should have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.
It is important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR. The GDPR makes it clear that it is the Data Controller or the Data Processor who is required to ensure, and to be able to demonstrate, that the data is being processed in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor.
Organisations are only required to appoint a DPO if their core activities consist of processing operations which by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale OR your core activities consist of processing on a large scale of special categories of data (or sensitive data)
What is Sensitive Data?
Sensitive Data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Article 37(1) GDPR requires data controllers and processors to designate a DPO in any case where:
- the processing is carried out by a public authority or body;
- the ‘core activities’ of the controller/ processor consist of processing operations which ‘require regular and systematic monitoring of data subjects on a large scale’; or
- the core activities of the controller/ processor consist of processing on a large scale of ‘special categories of data’ or personal data relating to criminal convictions and offences.
Points that need to be considered:
Consider your business's core activities to assess whether they consist of personal data processing operations on a large scale that:
- involve regular and systematic monitoring of data subjects;
- involve special category personal data (sensitive data);
- relate to criminal convictions and offenses.
When considering your Organisation's core activities:
- Document your primary activities and the critical processing for those activities e.g. processing patient health records to provide health care services or processing employee personal data to provide payroll services to your clients; and
- Exclude non-primary activity processing such as processing employee personal data to pay your employees.
NOTE: If you have already completed a Data Mapping exercise then this information should already have been identified.
When considering whether the processing activity occurs on a large scale, document:
- the number of data subjects whose data is being processed by you, both in total numbers of data subjects and also as a percentage of the population of the country relevant to your business operations
- the number and scope of the different personal data categories processed
- the duration of the processing; and
- the geographic extent of the processing.
When considering whether the processing activity involves the regular and systematic monitoring of data subjects, document:
- whether the processing includes ongoing, repetitive, or recurring activities;
- whether the processing includes any forms of monitoring or profiling, including for online behavioural advertising; and
- the nature of the organisation and strategy of the processing.
Document your internal assessment of whether your business must appoint a DPO and your reasoning for that. Organisations should consider appointing a data protection champion, even if the GDPR does not require them to appoint DPO. Both the Data Protection Commissioner in Ireland and the ICO in the UK have stated that transparency will be a key aspect in demonstrating compliance. Appointing a Data Protection Lead / champion / manager or DPO where necessary should be seen as positive actions.
"What the GDPR requires of organisations is that in collecting and processing what's called personal data for many of us..."
they have to do it in a way that is lawful, that is fair and transparent,”
NOTE: Organisations must use caution when using the title "Data Protection Officer" unless the position meets all of the criteria set out in the GDPR for appointing a DPO.
Assess where the DPO or data protection lead will sit within your business. To assess the best reporting structure and position with your organisation, consider:
- the structure of your organisation;
- the existing governance that you have in place; and
- the overall privacy risks – the higher the risk, the more senior the position should be.
Document the DPO or other data protection leader's role and job description. You must provide the DPO or Other Data Protection Leader with the necessary and appropriate Resources:
- ensure you have management buy in for the role and function of the DPO.
- ensure the DPO has sufficient time to perform all required duties and if necessary appoint support staff to assist the DPO.
- ensure the DPO has adequate resources to carry out the requisite tasks including a sufficient budget based on the organisation's size, location(s), and financial means and the complexity and sensitivity of the processing.
- ensure all staff co-operate with the DPO and other data protection team members and that they can access all the information, operations and facilities they need.
- ensure the DPO and data protection team members receive ongoing training on data protection law and practice.
- ensure that the DPO is completely autonomous and independent.
Conflict of Interests
It is important to take into account that while a DPO is permitted to fulfil other tasks and duties, the organisation is required to ensure that any such tasks and duties do not result in a conflict of interests. This is essential to protecting the independence of the DPO. In particular, it means that a DPO cannot hold a position in an organisation where they have the authority to decide the purposes for which personal data is processed and the means by which it is processed.
While each organisational structure should be considered case by case, as a rule of thumb, conflicting positions within an organisation may include senior management positions such as chief executive, chief operating/financial/medical officer, head of HR or head of IT). The WP29 guidelines on DPO’s address this matter in further detail.
Publication and communication of the DPO’s contact details
Organisations are required by the GDPR to publish the contact details of the DPO and to communicate these details to the relevant data protection authority. The purpose of this requirement is to ensure that individuals (internal and external to the organisation) and the data protection authority can easily and directly contact the DPO without having to contact another part of the organisation. Further guidance is included in the WP 29’s guidelines.
Outsourcing your Data Protection Officer....
Don't forget. Under the GDPR your organisation can outsource the role of the Data Protection Officer. This can be a cost effective route to compliance. XpertDPO offer this service and we would be delighted to discuss your requirements with you.