We’ve seen so far that GDPR is going to have an effect on any business that handles personal data in its activities. To manage your obligations properly, it is important to not only know what they are and prepare policies to ensure compliance, but also to work out who is going to be responsible for this.
You may have seen reference to the role of Data Protection Officer (“DPO”) and be wondering a) what it is and b) if you are going to have to make a new appointment to fill this.
What is the Data Protection Officer?
In brief, the DPO is there to help businesses comply with their data protection obligations. This is by a combination of monitoring compliance with GDPR, advising on the data protection obligations affecting the business including the carrying out of Data Protection Impact Assessments and be the main point of contact for data subjects and the Information Commissioner's Office ("ICO").
Whilst the DPO must be an independent expert in data protection, they can be existing employees or recruited specifically for the role. Proper resource must be given to the DPO and they must report into the senior management of the business.
The level of data protection expertise to be found in a DPO will depend on the nature and complexity of the business they work for. There can be circumstances where a DPO can be shared between more than one business.
Do you need a Data Protection Officer?
Under GDPR, DPOs are required, amongst other things, where a business’ core activities, either as Data Processor or Data Controller, require or consist of: a) large scale, regular and systematic monitoring of individuals; or b) large scale processing of special categories of data or data relating to criminal convictions and offences.
Core activities are described as being the primary business activities of your organisation. For example, if a business processes personal data in order to carry out its main purpose, this is a core activity. The ICO differentiates between this and, say, processing personal data for other secondary purposes (eg relating to HR), but which is not part of carrying out your primary objectives, even where carried out frequently.
Whilst GDPR does not define “regular and systematic monitoring” or “large scale” the ICO has given some guidance to help businesses assess whether or not their activities are covered off.
The guidance states that “regular and systematic” monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example given of when this might apply is the carrying out of behavioural advertising.
When deciding whether or not the processing carried out by a
business is carried out on a “large scale”, the ICO’s guidelines point towards
the following considerations:
· the numbers of data subjects concerned;
· the volume of personal data being processed;
· the range of different data items being processed;
· the geographical extent of the activity; and
· the duration or permanence of the processing activity.
And if you don’t need a Data Protection Officer?
Any business is free to appoint a DPO whether or not GDPR requires it; however, the same rules and requirements will apply to the role as if it was mandatory if an appointment is made.
If you do not need a DPO and decide not to appoint one, the ICO advises best practice is to record this decision. Assuming a business does not appoint a DPO, the management must ensure that the business has adequate resource available to discharge its obligations under the GDPR.
Please keep an eye out for our future updates. In these, we aim to help you identify areas of importance to businesses, so that you can ensure that your risks are covered off. You should also remember that the Information Commissioner’s website (https://ico.org.uk/) has many useful articles, guidance and checklists to help you steer clear of trouble.
This update is for general information only, is non-exhaustive and is not legal advice. If you need assistance, please get in touch.