GDPR Data Protection Officer (DPO)
It is recommended that you download and study the full text provided by the ICO.
Under the GDPR, you must appoint a DPO if:
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren´t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation´s data protection governance structure and to help improve accountability.
If you decide that you don´t need to appoint a DPO, either voluntarily or because you don´t meet the above criteria, it´s a good idea to record this decision to help demonstrate compliance with the accountability principle.
The Data Protection Bill will define what a ´public authority´ is under GDPR. This is likely to be the same as those defined under the Freedom of Information Act 2000 (FOIA) or the Freedom of Information Act (Scotland) 2002.
Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity. This is different to processing personal data for other secondary purposes, which may be something you do all the time (eg payroll or HR information), but which is not part of carrying out your primary objectives.
The other two conditions that require you to appoint a DPO only apply when:
This means that if you are already defined as a public authority or public body under FOIA or the Scottish FOIA, it´s likely you will be a public authority under the GDPR. However, the Data Protection Bill is subject to amendment and so you should confirm your status when the Bill becomes an Act of Parliament.
For most organisations, processing personal data for HR purposes will be a secondary function to their main business activities and so will not be part of their core activities.
However, a HR service provider necessarily processes personal data as part of its core activities to provide HR functions for its client organisations. At the same time, it will also process HR information for its own employees, which will be regarded as an ancillary function and not part of its core activities.
There are two key elements to this condition requiring you to appoint a DPO. Although the GDPR does not define ´regular and systematic monitoring´ or ´large scale´, the Article 29 Working Party has provided some guidance on these terms in its guidelines on DPOs.
´Regular and systematic´ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising.
When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
A large retail website uses algorithms to monitor the searches and purchases of its users and, based on this information, it offers recommendations to them. As this takes place continuously and according to predefined criteria, it can be considered as regular and systematic monitoring of data subjects on a large scale.
Processing special category data or criminal conviction or offences data carries more risk than other personal data. So when you process this type of data on a large scale you are required to appoint a DPO, who can provide more oversight. Again, the factors relevant to large-scale processing can include:
A health insurance company processes a wide range of personal data about a large number of individuals, including medical conditions and other health information. This can be considered as processing special category data on a large scale.
The DPO´s tasks are defined in Article 39 as:
It´s important to remember that the DPO´s tasks cover all personal data processing activities, not just those that require their appointment under Article 37(1).
The GDPR says that you can assign further tasks and duties, so long as they don´t result in a conflict of interests with the DPO´s primary tasks.
As an example of assigning other tasks, Article 30 requires that organisations must maintain records of processing operations. There is nothing preventing this task being allocated to the DPO.
Basically this means the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data. At the same time, the DPO shouldn´t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.
A company´s head of marketing plans an advertising campaign, including which of the company´s customers to target, what method of communication and the personal details to use. This person cannot also be the company´s DPO, as the decision-making is likely to lead to a conflict of interests between the campaign´s aims and the company´s data protection obligations.
On the other hand, a public authority could appoint its existing FOI officer / records manager as its DPO. There is no conflict of interests here as these roles are about ensuring information rights compliance, rather than making decisions about the purposes of processing.
Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests, you can appoint an existing employee as your DPO, rather than you having to create a new post.
You can contract out the role of DPO externally, based on a service contract with an individual or an organisation. It´s important to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.
You must ensure that:
This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn´t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.
The GDPR requires you to:
This is to enable individuals, your employees and the ICO to contact the DPO as needed. You aren´t required to include the name of the DPO when publishing their contact details but you can choose to provide this if you think it´s necessary or helpful.
You´re also required to provide your DPO´s contact details in the following circumstances:
However, remember you do have to provide your DPO´s name if you report a personal data breach to the ICO and to those individuals affected by it.
The DPO isn´t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the GDPR. Nevertheless, the DPO clearly plays a crucial role in helping you to fulfil your organisation´s data protection obligations.