It has been 18 months since the General Data Protection Regulation (GDPR) came into force. A year and a half is a long time in business, and your organisation may have grown substantially since May 2018. Therefore, you may find that your organisation either requires a Data Protection Officer (DPO) or would benefit from the voluntary appointment of one.
Appointing a Data Protection Officer is an investment, not only in providing the salary and benefits to the successful candidate but in ensuring they have the resources they need to perform their duties, a requirement under the GDPR. Furthermore, finding a qualified DPO is challenging; at present there is a lot of demand and a shortage of suitable candidates.
A DPO can add considerable value to your organisation. There is a competitive advantage in having a senior-level person dedicated to monitoring risks, identifying opportunities, and ensuring compliance concerning personal data throughout the lifecycle of business projects.
Krishna K. Gupta, the founder of Romulus Capital, was quoted as saying:
“If companies are able to unlock the power of large-scale data, they will make 100 major decisions a year instead of 2-3. They will be able to predict the outcomes (and respective probabilities) of these decisions with much greater accuracy and be able to take external and internal input in real-time. They will be able to optimally leverage each employee in terms of both output and satisfaction. They will be able to create and design products in a much more systematic and scientific manner, rather than the black box of “innovation” today…”
A DPO is responsible for GDPR compliance within an organisation. However, they also provide guidance on privacy matters, oversee employee training on data protection policies and procedures, and act as the first point of communication with data subjects and the Information Commissioner’s Office (ICO). A DPO is a mandatory appointment for public bodies and certain organisation’s whose processing operations meet specific criteria. However, even if you do not have to appoint a DPO the European Data Protection Board (EDPB) encourages organisations to assign one voluntarily.
Article 37(1) of the GDPR sets out three situations where it is mandatory to appoint a DPO:
Regarding public bodies, if your organisation has successfully tendered for a contract to support a public body’s operations, the Article 29 Working Party Guidance (WP29 Guidelines) recommend that a DPO is appointed.
“Even though there is no obligation in such cases, the WP29 recommends, as a good practice, that private organisations carrying out public tasks or exercising public authority designate a DPO. Such a DPO’s activity covers all processing operations carried out, including those that are not related to the performance of a public task or exercise of official duty (e.g. the management of an employee database)”.
How is ‘core activity’ defined?
The ICO states that to qualify as a ‘core activity’, the processing of personal data must constitute part of carrying out the main objectives of the organisation. For example, if your business provides direct marketing services for other organisations, and your tasks include collecting names, email addresses and obtaining consent under the GDPR, your data processing constitutes a core activity of your operation.
What is ‘..monitoring of data subjects on a large scale’
‘Large-scale monitoring’ is not defined under Article 37. The WP29 Guidelines note Recital 91 states large-scale processing relates to:
“….in particular [apply] to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights”.
Despite referring to data protection impact assessments as opposed to the appointment of a DPO, the above does provide some guidance.
The ICO states when considering whether processing amounts to ‘large-scale’, consideration should be made to:
What is ‘regular and systematic monitoring’?
The ICO states:
“‘Regular and systematic’ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising”.
Examples of a business which regularly and systematically monitors personal data includes telecommunications companies, security companies monitoring CCTV, and behavioural advertising organisations.
What constitutes ‘special categories of data’ and data related to criminal convictions?
Article 9(1) of the GDPR prohibits the processing of ‘special categories of personal data’ which reveals a persons:
It is also prohibited to process data related to:
Article 9(2) provides exceptions to the prohibition of data processing in Article 9(1) where:
In relation to data concerning criminal convictions, Article 10 of the GDPR states that any data of this sort must be processed either:
Article 10 also states that any detailed register of criminal convictions must be kept under control of an official authority.
What if I decide to voluntarily appoint a DPO?
If you decide to voluntarily appoint a DPO, that person will be expected to comply with all GDPR requirements related to the role as if a mandatory appointment was required. You may voluntarily appoint a DPO at any time, and upon doing so, you need to inform the ICO of the DPO’s details.
Many organisations view the appointment of a DPO as a cost. However, having someone dedicated to data protection compliance provides certainty to investors, customers, and suppliers that you take regulatory compliance seriously. By having a DPO in place, your risk of reputational damage due to a data breach is reduced, as are your chances of being investigated for non-compliance of the GDPR or Data Protection Act 2018. Finally, a DPO can identify business opportunities connected with personal data processing and develop a strategy for taking advantage of these discoveries in a compliant way, with all risks carefully managed.
 Formally the Article 29 Data Protection Working Party
Please note – this article does not constitute legal advice.