Data Protection Officer – do you need to appoint one?

The concept of a ‘Data Protection Officer’ (“DPO”) for organisations processing personal data has been alive and well for many years – already a mandatory requirement in some countries and best practice in others. However, for the first time the appointment of a DPO will be mandatory under the General Data Protection Regulation (“GDPR”) for many organisations regardless of their size or whether they are processing personal data in their capacity as a controller or a processor. But before you all rush out to recruit a DPO – stop, breathe and read this blog – you may be panicking unnecessarily.

Who is required to appoint a DPO?

Under the GDPR (Article 37), there are three main scenarios where the appointment of a DPO by a controller or processor is mandatory:

  1. The processing is carried out by a public authority;
  2. The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
  3. The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions / offences (Article 10).

Until recently, exactly what the terms highlighted in bold above meant has been unclear. However, ‘Guidelines on Data Protection Officers’ published by the Article 29 Working Party (“WP29”) on 16th December 2016 has added much needed clarity to elements of the requirements contained in Articles 37, 38 and 39 of the GDPR as explained in this blog.

What do the WP29 Guidelines say about the appointment of a DPO?

Understanding whether or not you need to appoint a DPO depends on the scale and scope of your data processing operations and whether they fall within the scope of Article 37 (set out above).  Below is an overview of the WP29’s guidance on the requirements for appointing a DPO:

  1. Core Activities – the WP29’s guidance clarifies that for the processing to be considered a core activity, this means it should be part of the key operations to achieve the controller/processor’s objectives which ‘forms an inextricable part of the controller’s or processor’s activity’. This would not include supporting activities such as payroll or IT support which are ancillary functions.
  1. Large Scale – the WP29 recommends that organisations take into account a number of factors when determining if their processing is of ‘large scale’ – this includes determining:

            a) the number of data subjects concerned;

            b) the volume of data or range of data items;

            c) the duration of the processing; and

            d) the geographical extent of the processing.

  1. Regular and Systematic Monitoring – the WP29 guidance confirms that processing of this type would ‘include all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising’. But it is important to note that this type of monitoring is not restricted to the online environment and could also include offline activity. The WP29 has interpreted ‘regular’ monitoring to mean: ongoing/occurring at particular intervals for a particular period; recurring or repeated at fixed times or constantly or periodically taking place. The WP29 has also provided guidance on the meaning of ‘systematic’ monitoring to mean: occurring according to a system; pre-arrange, organised or methodical; taking place as part of a general plan for data collection; or carried out as part of a strategy.

If your organisation carries out the type of processing activities listed above (and/or is a public authority), then it will be required to appoint a DPO under the GDPR – be it external or internal. It is also important to note that if your organisation does not meet the requirements in the GDPR but instead voluntarily decides to appoint a DPO, then the same requirements that apply to mandatory DPOs will still apply. Where you decide not to appoint a DPO, the WP29 recommends documenting those reasons. 

What is the role, tasks and liability of the DPO?

The WP29 guidance also clarifies the position under Articles 38 and 39 in relation to the role and tasks of the DPO:

  1. Role – the GDPR requires the DPO to be appointed “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The WP29 guidance confirms that the level of knowledge required should be determined on the basis of the data processing operations and the level of protection required. It also lists some skills which the DPO should possess such as expertise in national and European data protection laws, understanding of the processing operations etc.
  1. Tasks – the WP29 emphasise that organisations need to ensure the DPO is involved in all data protection issues as early as possible and that the DPO’s key concern is monitoring compliance with the GDPR. In order to successfully do this, the DPO must remain independent e.g. they cannot hold a position within the organisation that leads them to determine the purposes and means of the processing.  

In the WP29’s guidance, it is also emphasised that the DPO is not personally responsible for non-compliance with the GDPR. The liability still remains with the controller or processor to demonstrate that the processing activities are being performed in accordance with the GDPR.

So what should organisations do next?

Organisations should be assessing their data processing activities to understand whether they fall within the scope of the requirements in Article 37. If they do, then it will be important to either fulfil the DPO position internally or from an external source. For those organisations to whom the requirements do not apply, they may still choose to appoint a DPO but must remember that the same requirements will apply. If they choose not to appoint a DPO, then it is recommended by the WP29 to document the reasoning behind that decision.

Despite the additional guidance provided by the WP29, the biggest challenge for organisations will not be determining whether or not to appoint a DPO but finding DPO resource in what is already a competitive skills market. But the key thing is not to panic, as you may not even need a DPO!

If you would like to speak to a member of our team about our ‘MyDPO’ services, please email Samantha Sayers at [email protected] to find out how we can support you.

Samantha Sayers  | Solicitor – Cyber Security and Data Protection | PwC - UK
[email protected] |+44 (0)20 7213 4697

More articles by Samantha Sayers