The clock is ticking to May next year, when a major reboot of European data protection laws takes place. The General Data Protection Regulation (GDPR) will apply across European Union member states (including the UK, pre- and almost certainly post-Brexit).
Many headlines have been written about the sanctions for contraventions (up to €20m or 4% of an organisation’s annual global turnover) and about changes to such concepts as consent, accountability, and data subjects’ rights, but what has perhaps been rather overlooked is that it will introduce a statutory basis for a role that has until now only ever really had an informal status – the data protection officer (DPO).
Until now, in the UK certainly, but also across much of Europe and the rest of the world, the role of DPO has been largely undefined. The existing European data protection framework dates from an EU directive from 1995.
In those days “data” was almost exclusively seen in a computing context, and the first people given the informal title of DPO were mostly people from an ICT background – those who could understand the flow of computerised data, and identify and “protect” the data relating to identifiable individuals.
In the years since, as technology has suffused all our lives to such an extent that our digital selves are carried with us everywhere we go, what has been expected of a DPO has greatly expanded and diversified.
Today, a DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organisations comply with their legal obligations, but what that means now is as much about respecting individuals’ privacy rights – about being open, fair and transparent with people’s personal information.
It is still also about security, but these days is about so much more that people holding the title now come from a multitude of backgrounds – ICT (still), but also law, compliance, customer service, and many other areas.
The GDPR not only now formalises the role, but also mandates it for many organisations. For instance, all public bodies will require one, and, although the definition of “public body” is not entirely clear, in the UK it is very likely to be equivalent to what a “public authority” is, for the purposes of Freedom of Information and Human Rights law.
This means that some very small organisations will be under a legal duty to have a DPO – for example, parish councils and all state schools.
But the role is also mandatory for those organisations whose core activities involve “regular and systematic monitoring of data subjects on a large scale” or if its “core activities” involve large-scale processing of particularly sensitive data (such as data relating to someone’s racial or ethnic origin, religious beliefs, health, sexual life or criminal convictions).
Further guidance (albeit not couched in the most clear and helpful way) has been produced by what is known as the Article 29 Working Party, a group of representatives of data protection regulators from across the EU. This guidance does explain at least that “core activities” does not include the processing of staff information for HR purposes (a contrary view would arguably have led to the position that any employer would be required to have a DPO).
The GDPR also brings some structure, and defines some of the required qualities and obligations of DPOs. It says a DPO must:
- Act “independently”
- Not take instructions from their employer
- Have expert knowledge of data protection law
- Be provided with sufficient resources
- Not be dismissed merely for performing their tasks
- Report directly to the “highest management level”
A DPO does not necessarily need to be appointed in-house – GDPR makes clear that the role can be filled by a contractor, and can be shared across organisations. This will no doubt be helpful – albeit it will carry a cost – for those smaller organisations who will struggle to find someone already employed to take on the task.
In any case, as the Article 29 working guidance states, there is a risk of conflicts of interest, and that although DPOs are not prevented from holding other posts there are some roles which cannot be squared with that of a DPO – such as CEO, CFO, head of marketing, HR or IT.
So what happens if an organisation is meant to appoint a DPO under GDPR, but doesn’t? Well, in theory, such an infringement could attract a “lower level” fine of up to €10m or 2% of annual global turnover.
I say “in theory” because I will eat my biggest hat if any data protection regulator ever levies such a fine solely for failure to appoint a DPO. What might happen, however, is a situation where the failure to appoint might be a contributing, or aggravating factor, when considered alongside other, more substantive failings.
But, beyond that, failing to appoint a DPO where one is needed (or indeed, failing to appoint someone with responsibility for data protection compliance, even where there is no necessity to appoint a DPO themselves) misses the opportunity to have someone in place who can oversee compliance, and drive organisational improvements in what is going to be a key regulatory and legal risk area over the coming years.
12 comments on “GDPR: who needs to hire a data protection officer?”
I am surprised that there are penalties for not appointing a DPO, as I would assume that similar to heath and safety law, if no one is appointed the law assumes that the CEO holds that role, as the buck stop with him if something goes wrong. To do anything different would place an unreasonable burden on very small companies or sole traders.
The appointment of a DPO demonstrates that the organisation acknowledges the need for data protection. Although this is only a small part of the fuller data protection/GDPR strategy, it does work towards taking responsibility for protecting personal and special categories of personal data with in the organisation.
The DPO role does not need to be a full time role, but can form part of a suitably experienced individual’s role.
Hi David – very small companies and some traders are unlikely to be required to appoint a DPO, as they’re not likely to be engaging in large scale monitoring of data subjects or large scale processing of sensitive personal data.
How can someone qualify as DPO? Do you recommend any certification courses?
Hi – in the UK at least “DPO” is not a role for which there is a specific qualification. There are plenty of courses and certificates – some better than others – but for professional reasons I don’t think it’s fair for me to list them here.
The intent of the requirement is good and with the proposed penalties which may be levied due to a non compliance or breach of personal data, DPO positions shall be taken seriously.
It may take a little bit of time for DPO position to be given authority and to understand the importance of this position in the digital era, but sooner or later this will gain momentum.
Even a small company with 15 employees need a DPO?
Hi Graham – they would only need to appoint a DPO if their core activities involve regular and systematic monitoring of data subjects on a large scale, or if their core activities involve large scale processing of particularly sensitive data. Although some very small SMEs might do that, I’d wager that the vast majority don’t.
so the figure of DPO already existed in UK? precisely which were their functions?
It’s existed as a job title for a long time, but there’s been no specific or statutory job description. I chair the National Association of Data Protection Officers, and we’ve had that name since inception in 1994!
I am working on a GDPR project for an organisation that has offices and operations in 21 of the 27 EU member states. Would you say that qualifies as “large scale” given the “geographic extent” of the DPO Working Party directive? Regarding the four categories (number of data subjects, volumes being two others), does one of them have to be met or do all four need to be met to trigger an appointment of a DPO?
Hi Nicholas, apologies for the delayed reply. The “large scale” point only kicks in if the controller is either 1) conducting regular and systematic monitoring of data subjects or 2) processing special categories of data or criminal justice data. If neither 1) or 2) is met, then a DPO does not *have* to be appointed, even where the processing is on a large scale. (The controller or processor might still choose voluntarily to appoint one).