One of the major changes introduced by the General Data Protection Regulation ('GDPR') is the requirement for organisations to appoint a Data Protection Officer ('DPO') in certain circumstances. So what are those circumstances and do they apply to your organisation?
It is important to note that even where an organisation is not formally required to appoint a DPO, the various regulators are encouraging DPO appointment to ensure compliance. If your organisation does voluntarily appoint a DPO then the relevant provisions pertaining to DPOs will apply.
GDPR is all about demonstrating compliance. Therefore unless it is obvious that a DPO does not need to be appointed, the organisation should fully document their decision not to appoint one and show that they considered all the relevant information when reaching this decision.
It is mandatory under GDPR to appoint a DPO in the following circumstances:
- the processing is being carried out by a public authority or body;
- the core activities of the organisation involve the regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the organisation involve the processing, on a large scale, of special categories of data and personal data relating to criminal convictions and offences.
So what are core activities? This should be looked at in the overall context of the operation and what activities are necessary to achieve the processor's or controller's goals. For example healthcare is the core activity of a hospital but this could not be carried out at all without processing sensitive medical data.
Processors must also appoint DPOs if they fall into the relevant category. This is not just an obligation on controllers. A good example of this is where a small company outsources occupational health to a large occupational health provider with many clients. The processor in this case would need to appoint a DPO.
If your organisation is a group operating in several EU countries then you may need to appoint a DPO for each jurisdiction. GDPR provides that the DPO must be 'easily accessible from each establishment'. Organisations could consider an overall DPO who manages local DPOs. The DPO's contact details must be published.
So if your organisation needs to, or decides to, appoint a DPO then it must be aware of the other requirements that will apply to the appointment of the DPO. These include the following:
- that the DPO has the necessary skill and expertise to fulfill the role;
- that they are involved in the early stages of any issues that could impact data protection in an organisation;
- that they are provided with the necessary resources to carry out their role;
- that they can act in an independent manner.
This last point is crucial. The DPO is a compliance officer and must be allowed act as such. They must not be instructed about what result should be achieved or how to investigate a complaint. They must also not be instructed on whether to notify a breach or contact the data protection commissioner. This may be difficult for boards to understand or implement. However under GDPR the DPO cannot be penalised or dismissed for performing their tasks.
The DPO will occupy a special place in an organisation and it is important to get the right person for the job at the outset.
If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:
Disclaimer:This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
Although an early draft of the GDPR limited mandatory data protection officer appointment to companies with more than 250 employees, the final version has no such restriction.