GDPR: Preparing for Change! What do Employers and HR teams need to know?
Part 7: Do you need to appoint a Data Protection Officer (DPO)?
Welcome to the final part of our blog series on the General Data Protection Regulation (GDPR) and what it means for employers and HR teams. This blog will concentrate on the new rules on the appointment of Data Protection Officers (DPO) under the GDPR and how these will affect employers and HR teams.
What is a Data Protection Officer (DPO)?
A DPO is a designated person within an organisation who is responsible for ensuring data protection compliance after the introduction of the GDPR. This person is appointed and will be the primary contact within the organisation for data protection compliance.
Under the Data Protection Act 1998 (DPA) there was no requirement for organisations to appoint a DPO. Whilst the Data Protection Directive, which was given effect in the UK by the DPA, did not specifically require the appointment of a DPO some EU member states have implemented the appointment of a DPO. For example, in Germany and Sweden, appointing a DPO within an organisation, makes the organisation exempt from having to register with the local data protection authority.
In the UK, there has been no such requirement to date, and with the introduction of the GDPR on 25 May 2018, that all changes, in certain circumstances.
Do we need to appoint a DPO?
The imminent enforcement of the GDPR has led to organisations wondering whether they will be required to appoint a DPO, and if so, how they will fill such a role.
There are three circumstances where an organisation is required to appoint a DPO:
- where the processing is carried out by a public authority or body, with the exception of our courts;
- where the core activities of the controller or processor require regular and systematic monitoring of data subjects on a large scale – this would apply where the key operations necessary to achieve the controller/processor’s goals involve regular and systematic monitoring of data subjects. For example a private security company that carries out surveillance on a number of public areas such as shopping centres – a core activity of the business is surveillance therefore they would need to appoint a DPO; and
- where the core activities of the controller or processor consists of processing special categories of personal data (race, ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation) or data relating to criminal convictions and offences on a large scale – the GDPR does not define “large scale” and this is left for organisations to decide with regard to the number of data subjects concerned, the volume of data, the duration of the processing and the geographical extent of processing. The Article 29 Working Party has produced guidance on this and suggests that large scale processing would cover operations that aim to process a considerable amount of data which could affect a large number of data subjects. For example, a hospital processing patient data or the processing of travel data by public transport systems would be regarded as large scale processing. Processing of data by an individual (not an organisation) would not be considered large scale.
Therefore, if your organisation meets any of the conditions above, you will be under an obligation to appoint a DPO under the GDPR. This obligation applies equally to data controllers and processors – a controller may not be required to appoint a DPO, however a processor may be required to appoint a DPO if they meet the tests set out above. For example, an organisation outsources its HR functions to another party who is the data processor. If the outsourced HR organisation provided these services for many organisations, they would be not just a data processor but also caught by DPO obligations.
What if you are a group of companies?
A group of companies may appoint one DPO, as long as all of the group companies have easy access to the DPO.
Organisations who do not require to appoint a DPO, may still wish to appoint a DPO to ensure that data protection matters are a high priority within the organisation. However, be aware, if you do so, even though it is a voluntary practice, the appointment will bring with it all of the legal obligations.
What is involved in the role of a DPO?
The DPO will be the individual who has overall responsibility for data protection compliance and therefore is required to have expert knowledge of data protection law and practice and be capable of performing the functions of a DPO. The DPO can be an existing employee or the role of a DPO can be outsourced to a consultant. A DPO can also be a full or part time role, provided that the DPO can fulfil all of their obligations.
The duties of a DPO are as follows:
- oversee and deal with all data protection matters;
- contact point for data subjects and data protection authorities;
- inform and advise the controller/processor about GDPR obligations;
- monitor GDPR compliance;
- advise on PIA’s.
There are various protections in place for the DPO – an organisation cannot instruct the DPO in the performance of its duties (i.e. the DPO has a degree of independence from the organisation in relation to the performance of its duties), nor can they terminate the DPO’s employment or take disciplinary action as a result of the performance of its duties. Therefore, it may not be appropriate for an organisation to appoint the HR Director or the IT Director as the DPO as there would be a conflict of interest here. The DPO needs to be able to decide courses of action in relation to data processing and should not be involved in other areas of the organisation that decide on the purposes and means of processing. The Article 29 Working Party suggests that the following roles would not be suitable to be appointed DPO:
- Chief Executive;
- Chief Operating Officer;
- Chief Financial Officer;
- Head of Marketing;
- Head of Human Resources; and
- Head of IT.
A DPO should also report to the highest level of management and be involved in senior management meetings regularly. The DPO’s opinion on data protection matters should be given due weight and must be properly consulted on issues that arise.
With less than one year to go, organisations should be preparing for the GDPR:
- Read our blogs and attend our GDPR seminars;
- Consider whether your organisation requires to appoint a DPO;
- If your organisation is required to appoint a DPO, you should start to consider how that role should be filled i.e. internal appointments or external appointments.
Read our previous blogs in this series:
Part 1: Overview of the new rules
Part 2: Employee rights under the GDPR
Part 3: Lawful processing
Part 4: Employee monitoring under the GDPR
Part 5: Mandatory Data Breach Notification
Part 6: Subject Access Requests under the GDPR – a real issue for employers?
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.