1. WHO NEEDS TO APPOINT A DPO
The General Data Protection Regulation (GDPR) provides the circumstances in which a DPO must be appointed. Article 37(1) of the GDPR states ‘the controller and processor shall designate a DPO in any case where;
a. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
Large scale data processing involves the processing of large volumes of data; for example, in the NHS or by a marketing company.
The Article 29 Working Party has issued some helpful guidance. When considering large-scale data processing, the following should be taken into account;
• the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
• the volume of data and/or the range of different data items being processed
• the duration, or permanence, of the data processing activity
• the geographical extent of the processing activity
The core activities by controllers are those relating to those operations which are needed to achieve the organisations goal (Article 29 Working Party); i.e. you need to see if your core activities are dependent upon some processing, perhaps because of a contractual obligation. For example, a company sells a car and offers a warranty. The core act will be the sale of the car, but the warranty will involve the processing of personal data relating to the person who brought the car.
If the business is such that the core activity involves the processing of personal data in order to be performed, then the processing of data becomes inextricably linked to that core activity.
2. WHAT DOES A DPO DO
The DPO’s function is to monitor compliance with the GDPR. The DPO acts as the ‘eyes and ears’ of the Regulator within an organisation to ensure compliance. The DPO will collect information to identify processing activities, analyse and check compliance of processing and inform, advise and issue recommendations to the controller or processor in matters such as Data Protection Impact Assessments (DPIA).
In essence the DPO acts to safeguard the organisations position and to manage risks associated with data protection.
If a business gives the formal title of DPO, then such title brings with it all of the protections of the GDPR to the DPO. The DPO is protected against redundancy and penalties and their genuine independence must be ensured.
If an organisation decides not to appoint a DPO, it must document the reasons for doing so.
A failure to appoint a DPO can result in significant fines and penalties to the organisation.
3. WHO CAN BE THE DPO
The GDPR is not specific, although the Article 29 Working Party makes clear a DPO must have an understanding of data protection laws.
A company could therefore appoint a senior person who would be supported by experts and this is an approach endorsed by the Article 29 Working Party. The DPO reports to the highest levels of the management in an organisation.
If you would like to discuss the impact of GDPR on your business and how we might be able to help you address any concerns, call us on +44 (0) 7545 813 894 or contact us online.