Q&A: Appointing a Data Protection Officer under the GDPRPosted in : First Tuesday Q&A NI on 6 March 2018
This month’s First Tuesday Q&A article considers questions that were submitted by audience members as part of Legal Island’s Annual Review of Employment Law conferences 2017, with a specific focus on the GDPR.
The need to understand and appreciate the strict obligations on employers with regards the storing and processing of data is now more important than ever as we move closer to the deadline on the 25th May 2018. With potential fines of €20 million or 4% of global annual turnover employers need to review their data collection policies and consider how data security is ensured within their organisation.
This month, Chris Fullerton of Arthur Cox, answers a number of GDPR-related queries, providing guidance on the appointment of a Data Protection Officer, when it will be mandatory and what powers the individual will have. He also clarifies the accountability principle under the new regulation, explaining the need for organisations to demonstrate compliance with data protection principles.
- What are “real powers” under the WP29 Guidelines?
- Can we appoint an existing employee as a Data Protection Officer?
- Is appointment of a Data Protection Officer mandatory?
- What is the accountability principle?
The Working Party Guidelines (“WP29 Guidelines”) on Data Protection Officers (“DPOs”) adopted on 13 December 2016 aim to give DPOs “real powers”.
A DPO should be invited to regularly participate in meetings of senior and middle management, particularly where decisions on the implications of data protection will be taken. Appropriate weight should be attached to the DPO's opinion and on occasions when the DPO's opinion is not followed, WP29 Guidelines recommend, as good practice, to document the reasons for not following the DPO’s advice.
Data processors and data controllers must ensure that a DPO is involved "properly and in a timely manner, in all issues which relate to the protection of personal data".
A DPO has significant autonomy, which consequently means when they are fulfilling their tasks, they must not be instructed on how to deal with a matter, how to investigate a complaint or on what outcome should be achieved. However, this autonomy does not grant a DPO decision making powers which extend beyond their tasks.
Essentially a DPO is engaged to monitor compliance with the GDPR. In carrying out their monitoring role, a DPO may collect information to identify processing activities, analyse the compliance of processing activities and make recommendations to the controller or processor. However, in the event of non-compliance, a DPO will not be held responsible. Further, a DPO is protected under GDPR from being dismissed or penalised in relation to the performance of his/her tasks.
A DPO also has useful powers to assist the data controller in completing a data protection impact assessment (“DPIA”). The data controller may seek advice from a DPO when carrying out a DPIA and if so, a DPO has a duty to provide such advice.
Q. Can an organisation appoint an existing employee as DPO? If so, what qualifications or experience must they have?
In short, an organisation can appoint an existing employee as its DPO. However, the professional duties of the employee must be compatible with the duties of the DPO and not lead to a conflict of interest.
It is essential that a DPO is appointed on the basis of his/her professional qualifications and expert knowledge of data protection law. The WP29 Guidelines specify that a DPO's level of experience should correspond to the sensitivity, complexity and volume of data processed by the organisation.
Ultimately the experience and qualifications will need to be assessed in light of the specific requirements of the organisation appointing a DPO. However, the WP29 Guidelines recommend the following experience and qualities as an initial guide for appointing a DPO:
- Expertise in national and European data protection laws and practices, with a particularly thorough knowledge of GDPR;
- Understanding of the processing operations carried out;
- Understanding of information technologies and data security;
- Knowledge of the business sector and organisation;
- Ability to promote a culture of data protection within the organisation; and
- Integrity and high professional ethics.
Article 37(1) of the GDPR sets out the circumstances where appointment of a DPO is mandatory:
- Public authorities or bodies;
- Organisations whose core activities involve regular, systematic and large scale monitoring of data subjects; or
- Organisations whose core activities consist of the large-scale processing of special categories of data or data relating to criminal convictions and offences.
However, the GDPR do not actually provide clarification on what constitutes "public authorities", "core activities" and "large scale processing". In an effort to remedy this, the WP29 Guidelines were published and provide the following useful information:
Public authority or body
This should be determined under national law which typically means that national, regional and local authorities will be covered under "public authority" as well as other public sector bodies governed by public law.
The WP29 Guidelines recommend, as good practice, that private organisations carrying out public tasks or exercising public authority, appoint a DPO.
Core activities of a controller relate to "primary activities". Therefore, core activities will include activities necessary to achieve the data controller’s/processor's goals. Examples of ancillary functions would be support functions such as IT and payroll.
Processing operations which aim to process a considerable amount of personal data at regional, national or super-national level which could affect a large number of data subjects and which are likely to result in a high risk would be deemed "large scale".
The WP29 Guidelines also recommend taking the following factors into account:
- Number of data subjects concerned;
- Volume of data;
- Duration of data processing activity; and
- Geographical extent of the processing activity.
Organisations that do not fall within one of the categories under Article 37 may still decide to appoint a DPO in order to reflect the GDPR requirement to implement “data protection by design and default".
Furthermore, UK organisations have discretion to nominate additional circumstances where DPO appointment is mandatory.
Unlike the Data Protection Act 1998, accountability is codified under the GDPR, signifying its importance. Article 5(2) and Article 24 of the GDPR form “accountability” by requiring organisations to demonstrate compliance with data protection principles. These principles include fairness, lawfulness, transparency, data minimisation and confidentiality.
Data controllers should implement data protection policies proportionate to processing activities. However, the implementation of data protection policies alone will not satisfy the accountability principle. Data controllers must implement measures that will satisfy a supervisory authority that the GDPR are being complied with. This can be achieved through evidence of:
- Effective internal policies and procedures; and
- External compliance controls.
The particular accountability measures which will be appropriate will depend on the nature, scope, context and purposes of the relevant data processing along with the impact that the measures will have on the rights and freedoms of individuals. The following GDPR requirements and concepts are linked to accountability:
- Implementation and maintenance of privacy controls on a continuous basis (privacy by default and privacy by design);
- Ensuring comprehensive records are kept if there are more than 250 employees;
- GDPR compliant technology;
- Testing privacy measures on a regular basis;
- Providing training on privacy and data protection;
Procedures for remedying inadequate compliance and breaches.
More on Data Protection & Freedom of Information
- Can an employer refuse a request from an unsuccessful job applicant to delete any of their data in its possession as it may be necessary for the defence of legal claims?
- If employees willingly provide personal email addresses at the start of their employment and their personal email addresses were used to contact them while they worked from home during the Coronavirus Lockdown, is this a breach of data protection?
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.