Some of the hype about the General Data Protection Regulation (the GDPR) has been given renewed focus over the last couple of weeks by the issuing of two Notices of Intent by the Information Commissioner’s Office (ICO) with a nominal value of over £283m. It is worth reiterating what many have already said before me – Marriott International and British Airways, the two organisations involved, may never actually receive a fine. This is only the start of the process and there is a long way to go.
Nevertheless, what this has undoubtedly done is raise the profile of data protection legislation and the newly acquired abilities of the regulator (the ICO) to issue substantially increased fines compared to those available under previous legislation. This will almost certainly result in some discussion in boardrooms and, for those that have yet to appoint a Data Protection Officer (DPO), probably a much more serious discussion about whether or not they should. Even those that don’t need a DPO may still choose to appoint one, or someone specifically responsible for data protection compliance.
If you are newly appointed to the role, the most important point to remember is that you are not alone. While the role of DPO is new to the GDPR, the majority of data protection law requirements have been around for some time in the UK, some since 1984, so there are lots of things we can learn from what has happened under previous legislation.
It is likely to seem like a daunting task at first and I think that most would agree that there is a huge amount of information to take in before you can even think about applying it. Data protection has also suffered from significant volumes of misinformation that need to be sifted out so where do you start if you are given the role of DPO?
This article provides some basic advice as well as links to reliable sources for those new to the DPO role as well as for those responsible for managing data protection compliance. This draws on my own experiences of working with data protection for the past 20 years, including as a DPO for a number of organisations since 25 May last year.
What is a Data Protection Officer?
A DPO is a role established by the GDPR with specific tasks and responsibilities laid down by the legislation. The role is required by an organisation (either a controller or processor1) where:
- They are a public authority except for courts acting in their judicial capacity;
- The core activities of the organisation require regular and systematic monitoring of data subjects on a large scale. One example of regular and systematic monitoring will be CCTV but there are lots of others;
- The core activities consist of processing on a large scale of special categories of personal data (Article 9 of the GDPR) or personal data relating to criminal convictions and offences (Article 10). Special categories of personal data include medical information, racial or ethnic origin, religious beliefs and trade union membership along with others.
If you haven’t already, it may be helpful to review the guidance issued by the Article 29 Working Party, endorsed by European Data Protection Board on the role on the DPO as it expands on several important points, including the need to avoid a conflict of interest when making the appointment. It also helps with interpretation of key terms such as “large scale”, and discusses the need to conduct a data protection impact assessment to determine whether you need a DPO if it is not clear in terms of the legislation.
I would recommend that you don’t call yourself a DPO unless the law specifically requires your organisation to have one, or a decision has been made at board level or equivalent that your organisation should have one. If you call yourself a DPO, both you and your organisation must then comply with all aspects of the law for DPOs.
What do I need to do?
There is no set job description and the role is likely to differ according to sector, size and a range of other factors. However the GDPR lays down a number of tasks (Article 39) that have to be completed by the DPO as a minimum:
- To advise the organisation that you work for as well as their employees about their obligations under the GDPR and other data protection law;
- Monitor compliance with the GDPR and other data protection law as well as with the policies of your organisation that relate to the protection of personal data. The legislation mentions the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- Provide advice on data protection impact assessments and monitor their performance in terms of ensuring compliance with the GDPR;
- Cooperate and act as the point of contact with the supervisory authority. In the UK this will be the Information Commissioner’s Office.
When carrying out their tasks, the GDPR requires the DPO to have due regard to the risk associated with processing operations. It is also worth noting that the DPO must be accessible to data subjects and is bound by secrecy and confidentiality regarding the performance of tasks.
There are other responsibilities placed on the controller or processor with regard to the DPO and you can find out more about these in the GDPR as well as the EDPB guidance referred to above.
Who I am responsible to?
The DPO should report into the highest level of your organisation, which is usually board level. Further information about this is available from the ICO’s website. It should be noted that there is nothing in the legislation or the EDPB guidance that allows the role to be delegated by an existing board member that is, in effect, DPO in name only although that is an approach a number of organisations seem to have taken. The organisation must also ensure that the DPO is does not receive any instructions regarding the exercise of their tasks.
What skills and competencies should I have?
The GDPR states that the DPO …”shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”…, as well as being able to fulfil the tasks listed above.
I am sure it goes without saying but for the avoidance of doubt, anyone in the role of DPO should have at least a basic knowledge of data protection laws, and an understanding of how the law is applied is a must. That said, these are skills that the vast majority of us have learnt once in the job but it is really helpful to familiarise yourself with reference materials (including codes of practice) and applicable legislation. As highlighted above, make sure the information you are using is from a trusted and reliable source.
To comply with the requirements of legislation, information governance skills are likely to be very helpful, with business knowledge of the organisation you are working for essential. As yet, the ICO hasn’t issued any additional guidance for the UK although you may find it useful to look through the frameworks of competence published by the Spanish and French authorities. These are fairly consistent in the areas of competence that they are expecting a DPO to have. We are going to cover the area of emerging required competencies of DPOs in a later blog.
Is being a DPO a permanent role and can I do it alongside what I am doing?
Assuming your organisation meets the criteria for requiring a DPO, it will be an ongoing legal obligation although whether it is introduced as a permanent role will decided by your organisation. The legislation specifically allows for the role to be an employee or to be contracted in as a service. If you are going to contract in a service, make sure you undertake the necessary due diligence.
The role can be fulfilled by someone with other responsibilities although, as mentioned above, there cannot be any conflict of interest between the two roles that you might have, for example, it is unlikely that the role of DPO could be held by the Head of HR or the Head of IT, or equivalent roles in your organisation.
Are there any associations that I could join?
Some of the organisations that provide support for compliance with data protection laws include:
What training is available?
If you are looking to formally develop competencies, there is a wide range of training available. Again, make sure you do your due diligence to make sure any events you decide to attend is going to provide what you need it to. Note that there are no certifications under the GDPR in the UK, at least not yet, and there are unlikely to be any for training for DPOs.
Tkm offers a number of data protection qualifications that are certified by the BCS or the SQA, one of the UK’s qualification’s regulators.
Tkm’s courses include:
- Diploma/Certificate in Managing Data Protection Compliance
- Certificate in Data Protection Compliance
- BCS Foundation Certificate in Data Protection
- BCS Practitioner Certificate in Data Protection
Courses are run throughout the UK and can also be delivered in house. In house training can be fully customised according to the needs of your organisation. Please don’t hesitate to contact us if you would like to discuss your requirements. The IRMS also has other training partners that provide courses on a range of information governance topics – see Leadership Through Data.
1 – controllers and processors are defined by the GDPR. A controller determines the means and purposes of processing personal data, and a processor processes personal data on behalf of the controller. If you are regularly processing personal information, you are likely to be either a controller or processor or both. See the ICO’s website for further information.
With just over a year to go until the implementation of the General Data Protection Regulation (GDPR) one of the tasks to get started with for certain types of organisations is the appointment of a Data Protection Officer (DPO).
The Article 29 Data Protection Working Party (WP29) has recently published some useful guidance (5 April 2017) that describes the DPO as being at the “heart of this new legal framework”, and this blog summarises key elements of the guidance and associated annex.
Who is required to appoint a DPO?
There are 3 cases where it is mandatory for a DPO to be appointed by a Controller and a Processor (Article 37(1)):
- Where the processing is carried out by an organisation considered to be a public authority or body except for courts acting in their judicial capacity. The WP29 guidance suggests that, as good practice, private organisations carrying out public tasks (such as energy supply, public housing and others) should also designate a DPO.
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. The WP29 guidance defines “core activities”, “large scale”, as well as what constitutes “regular” and “systematic”, and discusses useful examples such as the use of closed circuit television.
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories (Article 9) of data or personal data relating to criminal convictions and offences. As above, the WP29 guidance has some useful examples of what processing is likely to fall within this definition.
Unless obvious, the WP29 guidance recommends organisations should conduct “internal analysis” to determine whether a DPO is to be appointed.
If a DPO is not mandatory for our organisation, should we still appoint one?
Organisations can voluntarily appoint a DPO. However, it should be noted that the WP29 guidance states that where a DPO is designated on a voluntary basis, the requirements laid down under Articles 37 to 39 will apply as if the designation had been mandatory. This means that if you do not have to appoint a DPO, roles should only be given the title of DPO if they will be tasked with all obligations laid down in the Articles above. They are also responsible for all processing operations carried out by the organisation with regard to personal data, meaning that you cannot be selective about which processes the DPO may cover.
What are the DPO’s responsibilities?
Tasks of the DPO are laid down by Article 39(1) and are summarised below. These are to:
- Inform and advise the Controller or the Processor and the employees who are processing personal data of their obligations under the GDPR;
- Monitor compliance with the GDPR;
- Provide advice regarding data protection impact assessments and monitor their performance;
- Cooperate with the supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK;
- Act as the contact point for the ICO on issues related to the processing of personal data.
Article 39(2) requires the DPO to have a risk-based approach to undertaking their duties, taking into consideration the nature, scope, context and purposes of processing operations. The accessibility of the DPO should also be effective, with the controller or processor required to publish the contact details of the DPO and also provide them to the ICO.
It is important to note that a DPO is not personally responsible for compliance with the GDPR. This remains the responsibility of the Controller or Processor (Article 24(1)). There are additional organisational responsibilities with regard to the DPO and these will be covered in a later blog.
Who can be a DPO?
Article 37(5) states that the DPO, who can be a staff member or contractor, “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”. The WP29 guidance states that although required level of expertise is not defined, “it must be commensurate with the sensitivity, complexity and amount of data an organisation processes”.
It is worth noting that although Article 38(6) allows DPOs to “fulfil other tasks and duties”, an organisation must ensure there is no conflict of interest. The WP29 guidance suggests this will depend on each organisation although may preclude senior management such the Chief Executive, Chief Financial Officer, Head of Human Resources, and Head of IT amongst others from the role of DPO.
What should I do next?
The first step is to identify whether a DPO is required in your organisation and, if so, who should fill the role. You should check the text of the GDPR, the WP29 guidance, and also the information available from the Information Commissioner’s website on DPOs to make sure you understand how these requirements will apply to your organisation.
You can then begin the process of recruitment, contracting and training new and existing staff as appropriate. It is essential that your organisation has developed the necessary competencies to comply with the GDPR by 25 May 2018. Training is a key organisational measure in preparing for the GDPR and Tkm can help. If you are interested in training for DPOs please contact us.
Tkm is in the process of adding accredited data protection qualifications to their portfolio and also delivers in house training that can be fully customised according to your business sector and the individual learning needs of your staff.
Look out for our next blog which will provide some guidance on choosing the right training for your organisation, helping to ensure best value for money.
The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.
exploit – protect – comply