Organisations that have not already done so need to decide whether they will appoint a Data Protection Officer (DPO). From May 2018, you must appoint a DPO if you:
If you are required (or choose to) appoint a DPO, you must ensure that:
You may appoint a single DPO to act for a group of companies, taking into account their structure and size.
You may appoint an individual employee within the organisation or an external consultant.
The GDPR does not specify the precise credentials that a DPO must have. However, it does require that they should have professional experience and knowledge of data protection law. The level of experience should be proportionate in light of the organisation’s activities.
On the positive side, having a DPO means that you will have a recognised person with appropriate authority to manage use of personal data in your organisation. They may identify risks you will need to resolve, but may also will unearth hidden benefits to reconnect with customers or potential areas for cost savings. Involving them at the design phase of a project or process can help avoid wasted expenditure in build, test, and deployment of new products or services.
Alternatively, consider the risk of not having a DPO: failure to comply with this requirement of the GDPR will attract a penalty of €10,000,000 or 2% of turnover.
‘Core activities’ are the key operations necessary to achieve the organisation’s goals. For instance, a hospital is set up to provide healthcare, so processing health records forms part of that core activity. By contrast, a manufacturing company processing an employee’s health data (such as self-certification records) for payroll would be an ancillary rather than core activity.
Processing will be considered ‘regular’ if it is ongoing, recurring, or periodical (which appears to cover everything other than one-off monitoring). ‘Systematic’ means ‘occurring according to a system’, ‘pre-arranged, organised or methodical’, ‘carried out as part of a strategy’, or even ‘part of a general plan for data collection’. On this basis, ‘regular and systematic monitoring’ could capture any data collection that isn’t haphazard or accidental!
Published guidance identifies activities such as data-driven marketing, location tracking by mobile apps, behavioural advertising, and use of CCTV. However, it would appear that most organisations will be caught. In particular businesses that are engaged in data-driven marketing activities, so the question will be whether such activities are being carried out ‘on a large scale’.
The GDPR does not define ‘large scale’. Early drafts indicated that more than 250 staff or 5,000 customer records would be considered ‘large scale’. However, these thresholds were removed from the final regulation leaving an unsatisfactory lack of certainty.
Any organisation over this size should therefore give serious consideration to appointing a DPO (and, if they choose not to, be prepared to justify that decision to the ICO). Organisations under this size should still look at their use of personal data and consider whether, as a proportion of the overall business, the processing should be considered large scale.
Certain types of data fall within ‘special categories’, such as information relating to racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, and sexual preferences. Data relating to criminal offences is also given special protection under the GDPR. If you are processing special categories of data on a large scale you must appoint a DPO. What is large scale will be a question of fact and degree depending on the nature of your business.
Regardless of whether you are required to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. This is sensible business practice, and is also consistent with the new duty of accountability that the GDPR introduces.
If you voluntarily appoint a DPO you are obliged to provide that person with the resources necessary to carry out the role, including training, so you will have to budget accordingly. The protected position of a DPO also means that an organisation that has second thoughts may find that removing a DPO is harder than appointing one.
Many organisations already employ staff to manage data protection issues, and there is nothing to prevent organisations continuing to do this without having to designate those staff as the ‘DPO’ for the purposes of the GDPR. However, there is an obvious risk of confusion if those members of staff are described in terms that sound like GDPR DPO’s, so organisations should take steps to clarify the position. If this involves changing job titles and/or job descriptions, you should be alert to any employment law issues.