With the EU General Data Protection Regulation (the “GDPR”) coming into force in May, 2018, one of the first action areas for companies to consider is whether or not they will be obliged to appoint a Data Protection Officer (“DPO”).
As of May 2018, there will be a mandatory obligation on certain companies to appoint a DPO. This will apply to companies that deal with personal data on a large scale. The DPO may be an employee with other roles in the company or may be an external contractor; however, they must have expert knowledge in the area of data protection law.
The obligations to appoint a DPO are set out in Articles 37 to 39 of the GDPR. A more extensive set of Guidelines on Data Protection Officers was published by a Working Party set up by the European Parliament in December 2016.
In brief, where the processing of data is an integral part of your company and this is done on a large scale, you will be obliged to appoint a DPO. In addition, there are certain organisations for which the GDPR specifically requires the appointment of a DPO:
The “core activities” of a company are the primary activities or key operations of that company. Where your company could not engage in its primary operations without the processing of personal data, then this criterion is met.
The term “regular and systematic” is not defined by the GDPR. However, regular can be taken to mean ongoing, recurring, periodical or at specific intervals. Systematic should be taken to mean according to some objective system: if you email a customer at the end of every quarter, this could hypothetically be considered systematic.
“Large Scale” is also not a defined term and, in the abstract, it is difficult to know how strictly it will be read. What will be taken into account are the number of individuals whose data is being processed, the bulk of data that is being processed for each, and the regularity with which it is being processed. A hospital will certainly process data on a large scale, whereas a local GP is unlikely to do so.
Each individual case will be taken on its own facts. If you suspect that you may fall under these obligations you should get in touch with your Gore and Grimes contact in advance of May 2018.See our Contacts section below for details.
In the broadest terms, the role of the DPO is to ensure your company complies with its data protection obligations and specifically those set out in the GDPR.
Specifically, a DPO is charged with attending to the following obligations:
In order to comply with the obligations, your company will be required to properly resource your DPO to meet their day-today requirements and facilitate them in their ongoing training in the area of data protection.
A DPO cannot be instructed on how to deal with a matter involving data protection. They must have full autonomy in the exercising of their duties and must report to the highest level of management within the company. The DPO is responsible for how data is handled within an organisation – it is a ‘buck stops here’ role
Specifically, the DPO cannot be instructed by senior management as to what result should be achieved in a data protection matter; how to investigate a data protection complaint; or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law. Importantly, they cannot be dismissed or penalised for exercising their tasks.
While a DPO can fulfil other tasks and duties, the GDPR requires that an organisation ensures that any such tasks and duties do not result in a conflict of interests. Specifically, the DPO cannot hold a position within the organisation that requires him or her to determine the purposes and the means of the processing of personal data.
As each organisation is different, this will be determined on a case by case basis. The European Parliament Working Party do however provide useful guidance on the type of positions that a DPO cannot hold in an organisation:
“conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing”.