With the EU General Data Protection Regulation (the “GDPR”) coming into force in May, 2018, one of the first action areas for companies to consider is whether or not they will be obliged to appoint a Data Protection Officer (“DPO”).
As of May 2018, there will be a mandatory obligation on certain companies to appoint a DPO. This will apply to companies that deal with personal data on a large scale. The DPO may be an employee with other roles in the company or may be an external contractor; however, they must have expert knowledge in the area of data protection law.
The obligations to appoint a DPO are set out in Articles 37 to 39 of the GDPR. A more extensive set of Guidelines on Data Protection Officers was published by a Working Party set up by the European Parliament in December 2016.
In brief, where the processing of data is an integral part of your company and this is done on a large scale, you will be obliged to appoint a DPO. In addition, there are certain organisations for which the GDPR specifically requires the appointment of a DPO:
The “core activities” of a company are the primary activities or key operations of that company. Where your company could not engage in its primary operations without the processing of personal data, then this criterion is met.
The term “regular and systematic” is not defined by the GDPR. However, regular can be taken to mean ongoing, recurring, periodical or at specific intervals. Systematic should be taken to mean according to some objective system: if you email a customer at the end of every quarter, this could hypothetically be considered systematic.
“Large Scale” is also not a defined term and, in the abstract, it is difficult to know how strictly it will be read. What will be taken into account are the number of individuals whose data is being processed, the bulk of data that is being processed for each, and the regularity with which it is being processed. A hospital will certainly process data on a large scale, whereas a local GP is unlikely to do so.
Each individual case will be taken on its own facts. If you suspect that you may fall under these obligations you should get in touch with your Gore and Grimes contact in advance of May 2018.See our Contacts section below for details.
In the broadest terms, the role of the DPO is to ensure your company complies with its data protection obligations and specifically those set out in the GDPR.
Specifically, a DPO is charged with attending to the following obligations:
In order to comply with the obligations, your company will be required to properly resource your DPO to meet their day-today requirements and facilitate them in their ongoing training in the area of data protection.
A DPO cannot be instructed on how to deal with a matter involving data protection. They must have full autonomy in the exercising of their duties and must report to the highest level of management within the company. The DPO is responsible for how data is handled within an organisation – it is a ‘buck stops here’ role
Specifically, the DPO cannot be instructed by senior management as to what result should be achieved in a data protection matter; how to investigate a data protection complaint; or whether to consult the supervisory authority. Furthermore, they must not be instructed to take a certain view of an issue related to data protection law. Importantly, they cannot be dismissed or penalised for exercising their tasks.
While a DPO can fulfil other tasks and duties, the GDPR requires that an organisation ensures that any such tasks and duties do not result in a conflict of interests. Specifically, the DPO cannot hold a position within the organisation that requires him or her to determine the purposes and the means of the processing of personal data.
As each organisation is different, this will be determined on a case by case basis. The European Parliament Working Party do however provide useful guidance on the type of positions that a DPO cannot hold in an organisation:
“conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing”.
|cookielawinfo-checkbox-advertisement||1 year||Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .|
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
|CookieLawInfoConsent||1 year||CookieYes sets this cookie to store the user consent.|
|_ga||1 year 1 month 4 days||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_*||1 minute||Google Analytics sets this cookie to store a unique user ID.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|CONSENT||2 years||YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.|
|VISITOR_INFO1_LIVE||5 months 27 days||A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.|
|YSC||session||YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.|
|yt-remote-connected-devices||never||YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.|
|yt-remote-device-id||never||YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.|