GDPR: who needs to hire a data protection officer?

The clock is ticking to May next year, when a major reboot of European data protection laws takes place. The General Data Protection Regulation (GDPR) will apply across European Union member states (including the UK, pre- and almost certainly post-Brexit).

Many headlines have been written about the sanctions for contraventions (up to €20m or 4% of an organisation’s annual global turnover) and about changes to such concepts as consent, accountability, and data subjects’ rights, but what has perhaps been rather overlooked is that it will introduce a statutory basis for a role that has until now only ever really had an informal status – the data protection officer (DPO).

Until now, in the UK certainly, but also across much of Europe and the rest of the world, the role of DPO has been largely undefined. The existing European data protection framework dates from an EU directive from 1995.

In those days “data” was almost exclusively seen in a computing context, and the first people given the informal title of DPO were mostly people from an ICT background – those who could understand the flow of computerised data, and identify and “protect” the data relating to identifiable individuals.

In the years since, as technology has suffused all our lives to such an extent that our digital selves are carried with us everywhere we go, what has been expected of a DPO has greatly expanded and diversified.

Today, a DPO is the voice of data protection compliance within an organization. The DPO is still expected to be able to help organisations comply with their legal obligations, but what that means now is as much about respecting individuals’ privacy rights – about being open, fair and transparent with people’s personal information.

It is still also about security, but these days is about so much more that people holding the title now come from a multitude of backgrounds – ICT (still), but also law, compliance, customer service, and many other areas.

The GDPR not only now formalises the role, but also mandates it for many organisations. For instance, all public bodies will require one, and, although the definition of “public body” is not entirely clear, in the UK it is very likely to be equivalent to what a “public authority” is, for the purposes of Freedom of Information and Human Rights law.

This means that some very small organisations will be under a legal duty to have a DPO – for example, parish councils and all state schools.

But the role is also mandatory for those organisations whose core activities involve “regular and systematic monitoring of data subjects on a large scale” or if its “core activities” involve large-scale processing of particularly sensitive data (such as data relating to someone’s racial or ethnic origin, religious beliefs, health, sexual life or criminal convictions).

Further guidance (albeit not couched in the most clear and helpful way) has been produced by what is known as the Article 29 Working Party, a group of representatives of data protection regulators from across the EU. This guidance does explain at least that “core activities” does not include the processing of staff information for HR purposes (a contrary view would arguably have led to the position that any employer would be required to have a DPO).

The GDPR also brings some structure, and defines some of the required qualities and obligations of DPOs. It says a DPO must:

  • Act “independently”
  • Not take instructions from their employer
  • Have expert knowledge of data protection law
  • Be provided with sufficient resources
  • Not be dismissed merely for performing their tasks
  • Report directly to the “highest management level”

A DPO does not necessarily need to be appointed in-house – GDPR makes clear that the role can be filled by a contractor, and can be shared across organisations. This will no doubt be helpful – albeit it will carry a cost – for those smaller organisations who will struggle to find someone already employed to take on the task.

In any case, as the Article 29 working guidance states, there is a risk of conflicts of interest, and that although DPOs are not prevented from holding other posts there are some roles which cannot be squared with that of a DPO – such as CEO, CFO, head of marketing, HR or IT.

So what happens if an organisation is meant to appoint a DPO under GDPR, but doesn’t? Well, in theory, such an infringement could attract a “lower level” fine of up to €10m or 2% of annual global turnover.

I say “in theory” because I will eat my biggest hat if any data protection regulator ever levies such a fine solely for failure to appoint a DPO. What might happen, however, is a situation where the failure to appoint might be a contributing, or aggravating factor, when considered alongside other, more substantive failings.

But, beyond that, failing to appoint a DPO where one is needed (or indeed, failing to appoint someone with responsibility for data protection compliance, even where there is no necessity to appoint a DPO themselves) misses the opportunity to have someone in place who can oversee compliance, and drive organisational improvements in what is going to be a key regulatory and legal risk area over the coming years.