Data Protection Officer – do you need to appoint one?
From the 25 May 2018, the GDPR will introduce into legislation an accountability-based compliance framework for data protection. Demonstrating compliance with this significantly enhanced legislation may require organisations to appoint a Data Protection Officer (DPO). In this blog we look at what the role of a DPO is and whether you need to appoint one.
What is the role of a Data Protection Officer?
It can be argued that a DPO has two roles, not one. The first being to help data controllers and data processors comply with data protection legislation and to advise on the management of the data protection risks, rules and rights. The second is to hold organisations to account for the implementation of data protection compliance arrangements and act as a focal point for data subjects and the supervisory authority (the Information Commissioner, in the UK).
“Such is the importance of the role of the DPO…. that a number of Articles in GDPR are dedicated to… appointing one”
The DPO is considered key to not only achieving compliance with GDPR, but also demonstrating how compliance has been achieved. Such is the importance of the role that a DPO contributes in ensuring compliance with data protection legislation, that a number of Articles in GDPR are dedicated to the specific criteria to be applied when appointing one.
Do you need to appoint a DPO?
The appointment of a DPO is a mandatory requirement for both controllers and processors under Article 37 of GDPR, if you are a public authority or if you carry out certain types of processing activities. Specifically, you must appoint a data protection officer (DPO) if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences. (special categories of data are defined in Article 9 of GDPR as being; personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; and the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person’s sex life or sexual orientation).
The regulations don’t specify what actually constitutes either large-scale or regular and systematic monitoring. If your core activities are the primary business activities of your organisation and you need to process personal data to achieve your business objectives, then it is highly likely that you will need to appoint a DPO.
“Organisations such as banks, hospitals and insurance companies would almost certainly need to appoint a DPO”
Giving due consideration to the number of data subjects, the amount and type of data processed and the duration and reasons it is kept should help you decide. Organisations such as banks, hospitals and insurance companies would almost certainly need to appoint a DPO.
Even if you believe that you do not meet the specific requirements mandated under GDPR to appoint a DPO, it may be prudent to do so anyway, as the DPO plays a crucial role in helping you achieve compliance. If you decide that you do not need to appoint a DPO, you should still document the fact to demonstrate that the relevant factors have been considered, and you may need to review this over time if your processing activities change.
We can undertake the DPO role for you, which removes any conflict of interest. Our senior consultant, Brian Penfold, has 30 years of extensive experience in risk management, safety compliance and assurance in highly-regulated environments. We can tailor our DPO service to suit your requirements. This may range from supporting you for a few days a year, to a wide-ranging portfolio of activities designed to help you achieve and maintain compliance. Get in touch for a free no-obligation consultation.