New EU data protection laws – in the form of the General Data Protection Regulation 2016 (GDPR) – due to come into force in the UK on 25 May 2018 set out the following three specific cases when it is mandatory for an organisation (whether a data controller or processor) to appoint a data protection officer (DPO) to facilitate their compliance with the GDPR:
- all public authorities and bodies (irrespective of what personal data they process)
- organisations whose core activity is monitoring individuals regularly and systematically, on a large scale or
- organisations whose core activity consists of processing on a large scale special categories of personal data or personal data relating to criminal convictions and offences.
Are you caught by any of the above?
Public authorities and bodies
There is no definition of public authorities or bodies in the GDPR and this would need to be determined in accordance with UK laws. Guidance from the Article 29 Working Party (A29WP) cites the following definitions found in an EU Directive on the re-use of public-sector information:
- ‘public sector body’ – the State, regional or local authorities, bodies governed by public law and associations formed by one or several such authorities or one or several such bodies governed by public law
- ‘body governed by public law’ – a body: (a) established for the specific purpose of meeting needs in the general interest, not having an industrial or commercial character; and (b) having legal personality; and (c) financed, for the most part by the State, or regional or local authorities, or other bodies governed by public law; or subject to management supervision by those bodies; or having an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities or by other bodies governed by public law
If a public task is carried out by a private organisation (particularly those providing services in public transport, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions), the A29WP recommends, as good practice, that such a private organisation designates a DPO to cover all its processing activities, not just in relation to its public tasks.
In the UK, public bodies and authorities would include ministerial departments (eg Department for Education, Department for Transport and Department for Health), non-ministerial departments (eg Serious Fraud Office, Crown Prosecution Service and National Crime Agency), agencies and other public bodies (eg Crown Commercial Service, British Council and DVLA).
Organisations whose core activity is monitoring individuals regularly and systematically, on a large scale
This needs to be broken down as follows:
- core activities relate to ‘primary activities [of an organisation] and do not relate to the processing of personal data as ancillary activities’. They can include ‘key operations necessary to achieve [an organisation’s] goals’ and ‘activities where processing of data forms an inextricable part of [an organisation’s] activity’.
Paying employees and having standard IT support activities are examples of ‘necessary support functions for the organisation’s core activity or main business’ which are ‘usually considered ancillary functions rather than the core activity’.
- large scale is not defined in the GDPR and the A29WP recommends looking at the following factors:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- the volume of personal data and/or the range of different personal data items being processed
- the duration, or permanence, of the data processing activity and
- the geographical extent of the processing activity.
The A29WP gives the following examples of large-scale processing:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (eg tracking via travel cards)
- processing of customer data in the regular course of business by an insurance company or a bank and
- processing of personal data for behavioural advertising by a search engine.
- regular and systematic monitoring is also not defined in the GDPR and the A29WP guidance interprets ‘regular’ and ‘systematic’ as follows:
- ongoing or occurring at particular intervals for a particular period
- recurring or repeated at fixed times
- constantly or periodically taking place
- occurring according to a system
- pre-arranged, organised or methodical
- taking place as part of a general plan for data collection
- carried out as part of a strategy
The A29WP also lists the following examples that may fall within this definition: operating a telecommunications network; providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (eg for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking (eg by mobile apps); loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices (eg smart meters, smart cars, home automation, etc).
Organisations whose core activity consists of processing on a large scale special categories of personal data or personal data relating to criminal convictions and offences
This is fairly straightforward as ‘special categories of personal data’ are defined in the GDPR (ie information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, or physical or mental health or condition or sexual life), and criminal convictions and offences are self-explanatory. Similar factors to those considered above for large scale processing would apply here.
If you do need to appoint a DPO, what do you need to do?
A group of companies can appoint a single DPO provided that s/he is ‘easily accessible from each establishment’. A29WP draws upon three areas of the GDPR to give guidance on what accessibility refers to, namely the tasks of the DPO as a contact point with respect to data subjects, its supervisory authority and also internally within the organisation because one of the tasks of the DPO is ‘to inform and advise [the organisation] and [its] employees who carry out processing of their [GDPR] obligations’.
Other key factors to take into account when appointing a DPO include:
- the DPO should be located in the EU, whether or not the organisation is established in the EU (but it can’t be excluded that, in some situations where an organisation has no establishment within the EU, a DPO could be based outside the EU)
- the DPO must have expert knowledge of data protection law and practices, and have the ability to carry out the tasks set out in the GDPR
- the DPO’s level of experience must be commensurate with the sensitivity, complexity and amount of personal data that an organisation processes
- the DPO must be capable of performing the tasks which the GDPR requires it to be responsible for (eg advising on data protection impact assessments, co-operating with the ICO, and advising on the organisations’ obligations under the GDPR and monitoring its compliance)
- the DPO must be sufficiently senior within the organisation but at the same time they must be able to perform their duties and tasks independently and must not be directed by senior management on how to deal with a matter, or required to take a certain view on a GDPR issue and
- the organisation remains responsible for its compliance with the GDPR – responsibility does not fall to the DPO.
If you don’t need to appoint a DPO, should you appoint one on a voluntary basis?
Both the ICO and the A29WP encourage designating a DPO on a voluntary basis. However, if you do this then you will be required to comply with the above requirements.
Guidance from the A29WP states ‘Nothing prevents an organisation, which is not legally required to designate a DPO and does not wish to designate a DPO on a voluntary basis …. to nevertheless employ staff or outside consultants with tasks relating to the protection of personal data. In this case it is important to ensure that there is no confusion regarding their title, status, position and tasks. Therefore, it should be made clear, in any communications within the company, as well as with data protection authorities, data subjects, and the public at large, that the title of this individual or consultant is not a ‘data protection officer’.
What should you do now?
Decide if you need to appoint a DPO – if you do, start looking now. If you are unsure and would like further advice, please contact our Commercial Team or you can phone +44 (0)1293 527744.
This document is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this document.