This article addresses some of the most common questions we receive about the role of the Data Protection Officer (DPO):
- Do we need a DPO?
- What type of person does the DPO need to be?
- What are the tasks of the DPO?
- What different models are there for delivering a DPO function?
- How can Evolve North help?
Do we need a Data Protection Officer?
The EU General Data Protection Regulation (GDPR) which has been effective across the European Union since May 2018, legislates that certain organisations must have a designated Data Protection Officer.
The GDPR states that the following organisations must have a DPO, whether they are data controllers or processing personal data on behalf of someone else:
- Public authorities (except for courts acting in their judicial capacity)
- Organisations whose core activities include carrying out of regular and systematic monitoring of individuals on a large scale, or
- Organisations whose core activities include carrying out large-scale processing of special categories data or data relating to criminal convictions.
Appendix 1 provides more detail on what we mean by “core activities”, "special categories data", “regular and systematic monitoring” and “large scale”.
So if my organisation doesn’t meet these criteria, we don’t need a DPO?
Even organisations that don’t meet these criteria will have an obligation to meet the requirements of the GDPR and the Data Protection Act 2018 if they are processing personal data. Therefore, it will be key that someone takes a lead in ensuring your organisation meets its data protection requirements so that you can be confident that personal information is being handled appropriately and all staff understand their responsibilities in this area.
What type of person does the DPO need to be?
The DPO should:
- have a high-level knowledge of data protection and privacy law
- understand how to apply this through appropriate technical and organisational controls
- have a good understanding of the processing activities being carried out by your organisation
- be able to act independently and without conflict
What are the tasks of the DPO?
The GDPR Article 39 states that DPOs' tasks are:
- to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws
- to monitor compliance with the GDPR and other data protection laws, and with your data protection policies, including managing internal data protection activities
- raising awareness of data protection issues, training staff and conducting internal audits
- to advise on, and to monitor, Data Protection Impact Assessments
- to cooperate with the relevant supervisory authority e.g. the Information Commissioner’s Office
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc)
They will need to understand the risks to personal data within your organisation and ensure that relevant leads are made aware of these risks so that they can be actioned appropriately. Part of this work may involve supporting the development of records of processing for the organisation.
What different models are there for delivering a DPO function?
There are different ways of delivering a DPO function in any organisation. The model you implement will be dependent on the level and type of processing carried out, the size of your organisation and potentially the level of work still needed to ensure you are GDPR compliant. Some possible ways of delivering this function are listed below:
Use an existing employee to fulfil this role
If you have an suitably skilled individual who has the capacity to pick up this role, then this might be an appropriate option, as long as their current responsibilities don’t lead to a potential conflict of interest e.g. if the individual is a senior decision maker. It may be that an existing member of staff is already leading on data protection, so could pick up this role.
Appoint your own DPO/support function
If you are a large organisation that can justify a full time Data Protection Officer, then a new individual could be employed to carry out this role. This would have the advantage of having someone who is dedicated to supporting data protection activities in your organisation and could be appointed based on relevant expertise. They can also be supported by other members of the organisation, or other new staff, but there must be one named DPO lead. This person could also potentially act across a number of organisations if this is practical, and appropriate capacity is in place to deliver the function effectively.
Contract DPO support from another organisation
You can contract out the role of DPO externally, based on a service contract with an individual or an organisation. An externally appointed DPO would have the same position, tasks and duties as an internally appointed one. In addition, you could use externally contracted support from a specialist organisation to help the DPO to fulfil their role, where capacity or expertise may be limited in house.
How can Evolve North help?
If you would like to use an external organisation with recognised expertise in data protection, privacy and IT security, Evolve North can offer a range of DPO support packages that can be tailored to assist your company, whether this is providing you with a named DPO for your organisation (particularly suitable for smaller organisations/SMEs) or in supporting your own DPO in delivering the DPO function. Specific areas of support could include:
- Providing audit and review of data protection and IT security practices to ensure that your organisation can evidence current and ongoing compliance with relevant data protection requirements
- Providing support for specific areas such as:
- Dealing with subject access and other data subject requests
- Dealing with a data breach or cybersecurity incident
- Development of relevant policy and procedure for staff
- Development of Data Protection Impact Assessments
- Understanding your information assets and risks to these assets
- Implementing data protection training and awareness sessions for staff
- Answering ad hoc queries by email or telephone when required
If you would like more information on how Evolve North can help in supporting your DPO function please contact us.
Appendix One – Meanings
What are “core activities”?
Core activities are the primary business activities of your organisation, so it relates to personal data that is processed to attain key objectives e.g. processing health data to deliver a hospital service. This is different to processing personal data for other secondary purposes such as payroll or HR, which is not part of the organisation’s primary objectives.
What are "special categories data"?
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic/biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
What does it mean by “regular and systematic monitoring of individuals”?
Although the GDPR does not define ‘regular and systematic monitoring’ or ‘large scale’, the Article 29 Working Party provided some guidance on these terms in its guidelines on DPOs.
It states that “regular and systematic” monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this would be using an individual’s internet activity to create a profile of them that could be used for marketing; or recording number plates on CCTV as part of traffic management programmes.
What is “large scale” processing?
When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
- the number of data subjects concerned
- the volume of personal data being processed
- the range of different data items being processed
- the geographical extent of the activity
- the duration or permanence of the processing activity
An example of large-scale processing might be a national travel insurance company processing health information on large numbers of clients to assess their eligibility for different products.