The General Data Protection Regulation (GDPR) is due to come into force in little over a year’s time (25 May 2018). Among the many changes ushered in, GDPR introduces a new governance requirement: the duty on the part of certain organisations to appoint a data protection officer (DPO).
Will your organisation fall under this new requirement? Read on to find out…
Who needs a DPO? What the law says…
According to GDPR Article 37, the following categories of organisation must appoint such an officer:
- Public authorities
- Those organisations whose core activities include data processing where there is “regular and systematic monitoring of subjects on a large scale”
- Where the core activities of the organisation consist of the processing of personal data of a sensitive nature on a large scale
What does a DPO do?
In broad terms, the DPO acts as a general advisor to the organisation on all matters of GDPR compliance. In addition, the GDPR is a “point of contact” (in effect a go-between) with the supervisory authority - i.e. the Information Commissioner’s Office (ICO) in the UK. According to GDPR Article 39, the DPO’s role is also concerned closely with the internal policies of the organisation, including staff training and raising security awareness.
So does this only apply to public authorities?
At first glance, it might seem that this requirement only catches public bodies. In reality,however, the inclusion of those organisations whose core activities include systematic, regular monitoring - as well as large scale processing of sensitive personal data means that a wide range of private commercial enterprises will also be caught.
In December of last year, the European Parliament’s GDPR working party released its Guidelines on Data Protection Officers. These guidelines should be considered in detail as part of your GDPR readiness preparations (as should the expected further guidelines expected from the ICO). With reference to the guidance, here are some of scenarios in which organisations may require a dedicated officer:
- Public authorities - including individual schools. The position here is likely to require on the governance position of the school. For instance, if the school is part of a wider academy group, a single DPO for the entire group will be sufficient. We’ll know more about this once further ICO guidance is released.
- Private organisations carrying out public tasks (e.g. public transport, infrastructure and public broadcasting)
- Private companies carrying out surveillance of shopping centres or other public spaces
- Service providers (e.g. insurance companies) processing large volumes of customer data
- Companies who monitor the online behaviour of a large volume of customers - e.g. for the purposes of targeted advertising.
In summary, if your core activities involve large-scale, regular or systematic monitoring - or they relate to processing of sensitive data on a large scale, you are likely to be caught by the requirement.
Article 37 GDPR makes it clear that DPOs require “expert knowledge” both in relation to data protection law - and in relation to protection on a practical level. So, in effect, does GDPR require you to go out and hire a data protection professional to fill this role? Not necessarily. Thankfully, Article 37 makes it clear that it is possible to outsource the DPO role.
All of this means it is imperative for organisations to check carefully whether they fall within the DPO ambit, and to consider what this means in terms of bolstering in-house expertise with the right IT compliance support services.