Introduction
The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a waiting phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.
In this article I am going to help clarify which companies should absolutely have a Data Protection Officer (DPO); which companies should consider it; what everyone else should do.
The Legislation
As always we should start with the legislation itself, the majority of the information can be found in Chapter IV between Articles 37-39. Article 37 States:
- The controller and the processor shall designate a data protection officer in any case where:
a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
Most companies who process data are likely to fall into category (b). This may be by hosting large mailing lists or marketing materials that are analysed and processed.
If you have a large list of client contacts that you use simply for your own business, with minimal marketing and no profiling then you do not need a DPO. The vast majority of SMEs will fall into this description. Your duties are to assess the security of your data, who you share it with (especially if you use a company that might process that data for profiling) and the access, storage and transmission of the data.
All of this is covered in different articles that discuss issues such as security, data access and compliance.
An important note is that the ICO has broadly indicated that organisations can appoint a DPO if they feel that they should. This means that if you feel more comfortable having a DPO to advise you and as a point of contact then you should be prepared to appoint one:
Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
Large Organisations
If you are a part of a larger organisation, i.e. one with greater than 250 employees then you should have already appointed a data officer, or compliance officer for the existing Data Protection Act. However it is wise to review if the legislation matches their current job or whether you need to adjust their roles and duties.
The GDPR makes a specific point that a data protection officer must be able to follow the tasks outlined in Article 39 and in the manner depicted in recital 97. The most interesting point that for me is that they must be able to perform their duties independently and analyse and report on any member or element of the organisation.
What this means is that the DPO is a seperate role and cannot be carried out by anyone who has other decision making duties, or who may be challenged when carrying out their tasks, or whose duties conflict with that of the DPO.
Their decisions have to be followed as they are expected to be able to carry out all the duties and report to the highest level. They may not be penalised or dismissed for performing these tasks.
They are also named and can be approached by persons outside of the organisation for the purposes of dealing with individual access and control of data (the data subjects rights). They are the first point of contact for matters regarding your GDPR roles and compliance.
Appointing a DPO
When appointing a DPO you must ensure that they are able to follow the roles and responsibilities in Article 39 and observe the caveats indicated above.
You can either employ someone internally or use an outside DPO as a service or as part of a larger trade organisation or group of companies.
Also note that there is no specific training or certification needed for a DPO. What is required is they are familiar with the GDPR and with your organisation. They do not have to undergo any specific courses but you should ensure that they keep themselves up to date on all relevant issues and future legislation.
Conclusions
The DPO is a position that the vast majority of companies will not need as they are either too small or do not carry out enough processing or profiling. However you should undergo a formal assessment and make sure that you have written reasons as to your choice in case of any future enquiry.
You should also check and assess any third party software or services you use to ensure they do not profile, and where they do that they ensure the safety and security of the data that you supply to them and observe the GDPR.
My advice is quite simple: if you think your activities require a DPO then you should probably appoint one.
Further Reading
In all cases it is wise to consult the regulations directly when determining your level of responsibility to make yourself compliant. Further reading for this piece can be found in:
Articles: 9, 10, 13, 29, (Chapter IV), 35, 37, 38, 39, 47
Recitals: 46, 51, 52, 53, 54, 55, 56, 97, 110
There are a number of good resources from the European Union but this article neatly explains the official position on the appointment of a DPO.
[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]
