Ann-Maree Blake, Data Protection and Corporate Partner
It has been 18 months since the General Data Protection Regulation (GDPR) came into force. A year and a half is a long time in business, and your organisation may have grown substantially since May 2018. Therefore, you may find that your organisation either requires a Data Protection Officer (DPO) or would benefit from the voluntary appointment of one.
Appointing a Data Protection Officer is an investment, not only in providing the salary and benefits to the successful candidate but in ensuring they have the resources they need to perform their duties, a requirement under the GDPR. Furthermore, finding a qualified DPO is challenging; at present there is a lot of demand and a shortage of suitable candidates.
A DPO can add considerable value to your organisation. There is a competitive advantage in having a senior-level person dedicated to monitoring risks, identifying opportunities, and ensuring compliance concerning personal data throughout the lifecycle of business projects.
Krishna K. Gupta, the founder of Romulus Capital, was quoted as saying:
“If companies are able to unlock the power of large-scale data, they will make 100 major decisions a year instead of 2-3. They will be able to predict the outcomes (and respective probabilities) of these decisions with much greater accuracy and be able to take external and internal input in real-time. They will be able to optimally leverage each employee in terms of both output and satisfaction. They will be able to create and design products in a much more systematic and scientific manner, rather than the black box of “innovation” today…”
What is a Data Protection Officer?
A DPO is responsible for GDPR compliance within an organisation. However, they also provide guidance on privacy matters, oversee employee training on data protection policies and procedures, and act as the first point of communication with data subjects and the Information Commissioner’s Office (ICO). A DPO is a mandatory appointment for public bodies and certain organisation’s whose processing operations meet specific criteria. However, even if you do not have to appoint a DPO the European Data Protection Board (EDPB) encourages organisations to assign one voluntarily.
Article 37(1) of the GDPR sets out three situations where it is mandatory to appoint a DPO:
- The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant toArticle 9 or personal data relating to criminal convictions and offences referred to in Article 10.
Regarding public bodies, if your organisation has successfully tendered for a contract to support a public body’s operations, the Article 29 Working Party Guidance (WP29 Guidelines) recommend that a DPO is appointed.
“Even though there is no obligation in such cases, the WP29 recommends, as a good practice, that private organisations carrying out public tasks or exercising public authority designate a DPO. Such a DPO’s activity covers all processing operations carried out, including those that are not related to the performance of a public task or exercise of official duty (e.g. the management of an employee database)”.
How is ‘core activity’ defined?
The ICO states that to qualify as a ‘core activity’, the processing of personal data must constitute part of carrying out the main objectives of the organisation. For example, if your business provides direct marketing services for other organisations, and your tasks include collecting names, email addresses and obtaining consent under the GDPR, your data processing constitutes a core activity of your operation.
What is ‘..monitoring of data subjects on a large scale’
‘Large-scale monitoring’ is not defined under Article 37. The WP29 Guidelines note Recital 91 states large-scale processing relates to:
“….in particular [apply] to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights”.
Despite referring to data protection impact assessments as opposed to the appointment of a DPO, the above does provide some guidance.
The ICO states when considering whether processing amounts to ‘large-scale’, consideration should be made to:
- the number of individuals concerned;
- the volume of data;
- the variety of data;
- the duration of the processing; and
- the geographical extent of the processing
What is ‘regular and systematic monitoring’?
The ICO states:
“‘Regular and systematic’ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising”.
Examples of a business which regularly and systematically monitors personal data includes telecommunications companies, security companies monitoring CCTV, and behavioural advertising organisations.
What constitutes ‘special categories of data’ and data related to criminal convictions?
Article 9(1) of the GDPR prohibits the processing of ‘special categories of personal data’ which reveals a persons:
- Racial or ethnic origin
- political opinions
- religious and philosophical beliefs
- trade union memberships or other associations
It is also prohibited to process data related to:
- genetic data or biometric data used for identification
- health data
- data concerning a person’s sex life or their sexual orientation
Article 9(2) provides exceptions to the prohibition of data processing in Article 9(1) where:
- the data subject has provided explicit consent to the processing
- processing is necessary for the data controller or data subject to carry out their obligations or exercise the specific rights of either party in terms of employment and social security and social protection law
- in cases where the data subject cannot give consent (for example, due to mental incapacity), the processing of the data is needed to protect the person’s vital interests
- a foundation, association, or NGO is processing the data as part of its legitimate activities with appropriate safeguards in place and the processing relates solely to the members or to former members of the body
- the data subject has made the data public
- the data is required for disclosure purposes in a legal case
- the data processing is in the public interest and is proportionate to the aim being pursued
- the processing is required for medical purposes
- there is a public health interest attached to the processing, for example, a cross-border health threat
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR (as long as UK law allows for the processing and it is proportionate to the project’s objectives)
In relation to data concerning criminal convictions, Article 10 of the GDPR states that any data of this sort must be processed either:
- under the control of an official authority, or
- only in circumstances where the government has authorised the processing and put safeguards in place to protect the rights and freedoms of the data subject
Article 10 also states that any detailed register of criminal convictions must be kept under control of an official authority.
What if I decide to voluntarily appoint a DPO?
If you decide to voluntarily appoint a DPO, that person will be expected to comply with all GDPR requirements related to the role as if a mandatory appointment was required. You may voluntarily appoint a DPO at any time, and upon doing so, you need to inform the ICO of the DPO’s details.
Wrapping up
Many organisations view the appointment of a DPO as a cost. However, having someone dedicated to data protection compliance provides certainty to investors, customers, and suppliers that you take regulatory compliance seriously. By having a DPO in place, your risk of reputational damage due to a data breach is reduced, as are your chances of being investigated for non-compliance of the GDPR or Data Protection Act 2018. Finally, a DPO can identify business opportunities connected with personal data processing and develop a strategy for taking advantage of these discoveries in a compliant way, with all risks carefully managed.
[1] Formally the Article 29 Data Protection Working Party
If you require advice on GDPR or any other privacy or data protection matters, please get in touch with Ann-Maree Blake, a Partner in our Data Protection team.
Please note – this article does not constitute legal advice.
