PART 1 - Data Protection Officers: A Requirement or a luxury?
In 2016, the International Association for Privacy Professionals estimated that there would be nearly 30,000 data protection officer roles which need to be filled in order for companies to achieve compliance with the General Data Protection Regulation (2016/679, “GDPR”).
In this first of our two part series, we look at whether a company has a legal requirement to appoint a Data Protection Officer, and whether it can be a good idea for a company to appoint a Data Protection Officer on a voluntary basis as a data privacy compliance tool. In the second part of this mini-series, we then provide tips and tricks about how to best proceed with an appointment, and the key skills that your nominated person should have to drive your privacy compliance forwards.
What is a Data Protection Officer (DPO)?
A data protection officer (DPO) is responsible for overseeing a company’s data protection policies and practices and their day-to-day implementation to ensure compliance with the GDPR. DPOs should make sure that the company and its employees are educated on the GDPR, have appropriate agreements in place, and serve as a point of contact between a company and its national data protection authority.
A DPO will generally take charge in the event of a data breach. Should a data breach occur, the DPO should firstly be notified. It will then be their responsibility to evaluate the impacts, notify the relevant data protection authority, notify affected data subjects, and notify any controllers who are affected. It is important to note that DPO’s are independent and cannot be fired or sanctioned for carrying out their duties.
Is it a requirement for my business to appoint a DPO?
Under Article 37 of the GDPR, DPO’s are mandatory for public bodies or authorities, or for commercial or non-profit organisations that are processing large scale volumes of personal data which require systematic monitoring of data subjects on a large scale basis, or where the core activities of the business (acting as a data controller or data processor) consist of processing sensitive categories of data such as information related to health, ethnic origins, religion or data related to criminal convictions or offences on a large-scale.
In other words - there is no specific check-list to confirm whether or not your company should appoint a DPO. It is up to companies themselves to evaluate this, and often this can be achieved by undertaking a Data Protection Audit, compiling a Processing Register or carrying out a Data Protection Impact Assessment (or “DPIA”) to ascertain the level of risk of specific processing activities, as well as understanding the nature and volume processing carried out within an organisation.
It is important to note that t is not the size of an organisation that dictates whether a DPO is necessary; rather, it is the size and scope of personal data handling. The GDPR does not specifically define what a data protection authority might consider to be “large scale” data handling. If you suspect that your handling and processing of data may be on a large scale - it probably is!
Indeed, guidance states that when ascertaining whether data processing is being carried out on a large-scale basis, regard should be had to:
The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
The volume of data and/or the range of different data items being processed
The duration, or permanence, of the data processing activity
The geographical extent of the processing activity.
The analysis can therefore be a complex one, and sometimes acting as a data processor for your client (for example if you are providing SaaS solutions, online applications or cookies / analytics services) you might be deemed to be conducting data processing on a large scale when all of the data of your clients is combined, even if you are not processing large scale data as part of your own internal business.
What about a voluntary appointment?
It can be good practice to voluntarily appoint a DPO as a risk mitigation exercise, even if it is not mandatory. Regulators have issued guidance stating that in the event of a data breach they will ask companies whether they have a DPO, and companies may be asked to justify why they do not have one - even if it has not been a mandatory requirement.
When deciding if you need a DPO: look at your data subjects, data items, the length of time you are retaining data for and the geographic range of your data processing. If any of it seems large scale or complex, you probably do need to appoint a DPO.
It is nonetheless important to note that companies which do appoint a DPO on a voluntary basis will become liable for ensuring that the appointment is consistent with the GDPR requirements, as if such appointment had been a mandatory one. Therefore, organisations which do not need to appoint a DPO on a compulsory basis often choose to hire a data protection counsel or privacy specialist so that key compliance tasks can be carried out along with other areas of corporate compliance, without engaging specific DPO obligations.
Is a DPO responsible for its company’s breaches?
Appointing a DPO does not mean that your company will be exonerated for any GDPR compliance failings!
In guidelines published in 2016 in readiness for the GDPR, the Article 29 Data Protection Working Party advised that a controller, processor or sub processor remains ultimately responsible for ensuring that their policies and practices are in line with the GDPR. This means that regardless of how much autonomy a DPO is given, the companies that employ them remain liable for any data breaches and the DPO is not personally accountable for any non-compliance with the GDPR.
However, this doesn’t mean that a DPO has no liability for their own actions. They remain liable for non-compliance with any general employment procedures and can be dismissed or penalised on grounds related or unrelated to data protection.
In order to reduce risk, be clear in your contracts about the standard of care that you expect from your DPO, and make sure that you aid the DPO in their role. If a DPO is put in a position where they cannot complete the tasks expected of them - for example, if they are given a lack of resources or training - their degree of responsibility will likely be reduced.
Should you have any queries on whether you need to appoint a DPO or if you have any other privacy or data protection enquiries, please don’t hesitate to get in contact!
Article by the Team @ Gerrish Legal, April 2021