GDPR - Does your business need a DPO?
A study from the IAPP in 2016 estimated that there are at least 28,000 data protection officer roles which need to be filled in order to achieve compliance with the General Data Protection Regulation (2016/679, “GDPR”).
An unfilled role represents a potential risk and could be a complete violation. As we regularly provide advice on such questions for our client, we thought we would share our insights in this article.
What is a Data Protection Officer?
A data protection officer (DPO) is responsible for overseeing a company’s data protection policies and practices and their day-to-day implementation to ensure compliance with the GDPR. DPOs should make sure that the company and its employees are educated on the GDPR, have appropriate agreements in place, and serve as a point of contact between a company and its national data protection authority.
A DPO will generally take charge in the event of a data breach. Should a data breach occur, the DPO should firstly be notified. It will then be their responsibility to evaluate the impacts, notify the relevant data protection authority, notify affected data subjects, and notify any controllers who are affected. It is important to note that DPO’s are independent and cannot be fired or sanctioned for carrying out their duties.
Does my business need a Data Protection Officer?
Under Article 37 of the GDPR, DPO’s are mandatory for public bodies or authorities, or for commercial or non-profit organisations that are processing large scale volumes of personal data which require systematic monitoring of data subjects on a large scale basis, or where the core activities of the business (acting as a data controller or data processor) consist of processing sensitive categories of data such as information related to health, ethnic origins, religion or data related to criminal convictions or offences on a large-scale.
In other words - there is no specific check-list to confirm whether or not your company should appoint a DPO. It is up to companies themselves to evaluate this, and often this can be achieved by undertaking a Data Protection Audit, compiling a Processing Register or carrying out a Data Protection Impact Assessment (or “DPIA”) to ascertain the level of risk of specific processing activities, as well as understanding the nature and volume processing carried out within an organisation.
It is important to note that t is not the size of an organisation that dictates whether a DPO is necessary; rather, it is the size and scope of personal data handling. The GDPR does not specifically define what a data protection authority might consider to be “large scale” data handling. If you suspect that your handling and processing of data may be on a large scale - it probably is!
Indeed, guidance states that when ascertaining whether data processing is being carried out on a large-scale basis, regard should be had to:
The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
The volume of data and/or the range of different data items being processed
The duration, or permanence, of the data processing activity
The geographical extent of the processing activity.
The analysis can therefore be a complex one, and sometimes acting as a data processor for your client (for example if you are providing SaaS solutions, online applications or cookies / analytics services) you might be deemed to be conducting data processing on a large scale when all of the data of your clients is combined, even if you are not processing large scale data as part of your own internal business.
Appointing a data protection officer is useful as a risk mitigation exercise.
It can be good practice to voluntarily appoint a DPO even if it is not mandatory. Regulators have issued guidance stating that in the event of a data breach they will ask companies whether they have a DPO, and companies may be asked to justify why they do not have one - even if it has not been a mandatory requirement.
When deciding if you need a DPO: look at your data subjects, data items, the length of time you are retaining data for and the geographic range of your data processing. If any of it seems large scale or complex, you probably do need to appoint a DPO.
It is nonetheless important to note that companies which do appoint a DPO on a voluntary basis will become liable for ensuring that the appointment is consistent with the GDPR requirements, as if such appointment had been a mandatory one. Therefore, organisations which do not need to appoint a DPO on a compulsory basis often choose to hire a data protection counsel or privacy specialist so that key compliance tasks can be carried out along with other areas of corporate compliance, without engaging specific DPO obligations.
Will a DPO Negate GDPR Liability?
Appointing a DPO does not mean that your company will be exonerated for any GDPR compliance failings!
In guidelines published in 2016 in readiness for the GDPR, the Article 29 Data Protection Working Party advised that a controller, processor or sub processor remains ultimately responsible for ensuring that their policies and practices are in line with the GDPR. This means that regardless of how much autonomy a DPO is given, the companies that employ them remain liable for any data breaches and the DPO is not personally accountable for any non-compliance with the GDPR.
However, this doesn’t mean that a DPO has no liability for their own actions. They remain liable for non-compliance with any general employment procedures and can be dismissed or penalised on grounds related or unrelated to data protection.
In order to reduce risk, be clear in your contracts about the standard of care that you expect from your DPO, and make sure that you aid the DPO in their role. If a DPO is put in a position where they cannot complete the tasks expected of them - for example, if they are given a lack of resources or training - their degree of responsibility will likely be reduced.
How to Choose a DPO?
The GDPR does not set out a list of required credentials for a DPO. However, this does not mean appointing any profile as your DPO as a tick-box exercise. A DPO must be someone who has expert knowledge and ability to fulfil the tasks. This does not necessarily need to be a lawyer, but it must be someone with a good knowledge of the GDPR and data protection. Often it can be helpful to appoint an individual with IT security knowledge in order to assist compliance with the GDPR obligations to ensure confidentiality and security of personal data, especially when processing takes place in a digital or online environment.
A DPO does not have to be an in-house employee - under the GDPR, external DPO’s are permitted (for example, external law firms or consultants working on a freelance basis). Accordingly, whether on an external or employed basis, DPO’s are able work on a full time or part time contract provided that they are able to dedicate sufficient time and resources to fulfilling their obligations.
Autonomy and Independence
There must be no conflict of interests between a DPO, the company and upholding the spirit of the GDPR, meaning that an appointed DPO should not have any current duties or responsibilities that could get in the way off their monitoring abilities. Violating the conflict of interest rule renders companies liable to a €10 million fine or 2% of the company’s worldwide turnover, whichever is larger.
The Bavarian Data Protection authority has advised that a member of an in-house legal department may have too many conflicts of interest to be a DPO since they may be required to represent the company in legal proceedings.
Furthermore, a CEO or other senior member of the management board is unlikely to be an appropriate DPO - not only do the functions of a DPO require specific time and attention which may be incompatible with the functions of senior company members, but it is also unlikely that they will be entirely impartial - there may be a tendency (even indirect) to play down GDPR risk in order to avoid sanctions which cause financial exposure and impact an organisation’s profits. If you think there might be a conflict of interest - there probably is one, and to avoid issues it is worth ensuring the DPO is fully independent.
When appointing a DPO, ensure that they are an expert in data protection law and that they understand your company’s IT infrastructure, and technical and organisational structures. Every company is different!
Understand your company’s unique selling points, how it operates within its chosen sector, and work out what aspects of your company are most important to you, particularly if personal data processing is a core part of your business (for example, if you are running staffing agency with large volumes of candidate data or are carrying out systematic data processing on behalf of your clients through online data analytics).
The freedom to choose your own internal or external DPO means you can choose an officer who embodies the values you wish your company to uphold, presenting a new way of thinking about security.
Should you have any queries on whether you need to appoint a DPO or if you have any other privacy or data protection enquiries, please don’t hesitate to get in contact!
Article by Lily Morrison and Charlotte Gerrish @ Gerrish Legal, September 2019