GDPR – What’s a DPO?
The General Data Protection Regulation (GDPR) has introduced many new terms which we will all get familiar with over the next few months. A DPO (Data Protection Officer) is one of them and many people are asking whether they really need one. This is in part due to the confusion created by the to-and-fro between the European Commission, the European Parliament and the Council of Ministers during the drafting of the regulation and subsequent clarifications by a working party (the Article 29 Working Party). With that many fingers in the pie it’s not surprising that there is confusion.
So what does a DPO do?
The role of the DPO is to help organisations comply with data protection law, avoid the risks that they may face when processing personal data and be the link between the public and the organisation’s employees in relation to the processing of personal information held. The DPO also acts as the person that data protection queries should be directed to. A mini-job description is actually given in the GDPR’s Articles 37(5) and 39(1):
“The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”
“The data protection officer shall have at least the following tasks:
- (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- (d) to cooperate with the supervisory authority;
- (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”
Do you need to appoint a DPO?
This is, of course, the question! You should assume that you do – unless you can demonstrate that you don’t! That’s because the criteria for appointing a DPO applies to most organisations. However, not every organisation needs to appoint one. Confused? The GDPR lays out three scenarios for a DPO as follows:
- The processing is carried out by a ‘public authority’ – Although the GDPR does not define what a public authority is, in the UK this is most likely to reflect the definition given in Section 3 of the Freedom of Information Act 2000.
- The ‘core activities’ require regular and systematic monitoring of data subjects on a ‘large scale’ – Core activities can be considered as the key operations necessary to achieve the organisation’s goals. There is no definition of what ‘large scale’ means, however examples could be processing customer data by an insurance company or bank, processing personal data for behavioural advertising by a search engine, processing payroll data by a payroll bureau, or staff information by an HR support company.
- Where ‘core activities’ involve ‘large scale’ processing of ‘special categories’ of personal data and relating to criminal convictions and offences – Special categories of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998. These cover ethnic origin, political opinions, religious beliefs and health data, and apply to, amongst others, polling companies, trade unions and healthcare providers storing patient records.
There has been uncertainty whether the requirement to appoint a DPO applies to SMEs – possibly because an earlier draft of the GDPR suggested ‘large scale’ meant organisations with 250+ employees or was regularly processing more than 5000 records. However, the Information Commissioner’s Office (ICO) has clarified this:
“I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.” – Peter Brown, Senior Technology Officer, Information Commissioner’s Office (ICO).
Even where a DPO is not required (as directed by the GDPR) you may wish to consider appointing an individual within your company to carry out that role on a voluntary basis. This will help to ensure that you are proactive in monitoring GDPR compliance. They don’t need to be called a DPO – you could use the term ‘Privacy Officer’ for example. However, being a voluntary DPO is no excuse to perform the role to any lesser degree and the role and tasks should be treated as if the appointment had been mandatory.
And finally, not having a DPO isn’t an excuse for non-compliance!
GDPR Preparedness Toolkit Seminar
This 2 hour seminar will help you, as you take your first steps towards compliance by sharing practical insights about implementing a data security based approach in line with the Regulation. You will learn about:
- Why you have to comply with the GDPR and what might happen if you don’t.
- The GDPR’s direct effect on your business and the transition timelines.
- The steps to take in preparing for compliance.
- The technical and organisational measures your business will need to adopt to comply with the Regulation.
- A key assessment toolkit you can use to help you to achieve compliance.
The seminar will be held at The Birch Hotel, Heywood with easy access to the M60, M62 and M66 on:
- Wednesday, 25th October 2017, 14:00 to 16:15
- Wednesday, 29th November 2017, 14:00 to 16:15
Standard tickets are £25.00
Early Bird Discount tickets are £15.00 (available only if you book within 14 days of the seminar)
Contact us on 0345 319 4887 to book or book online with Eventbrite.