Should you appoint a DPO?
The short answer is yes. Under the GDPR data, controllers and processors must appoint a DPO if any of the following circumstances apply to them:
- the organisation is a public body;
- core business activities involve processing operations which require regular and systemic monitoring of data subjects on a large scale; or
- core activities involve the large scale processing of sensitive data and personal data relating to criminal convictions and other offences.
The monitoring of data subjects will include the tracking of people’s activity on the internet and processing that personal data to profile a person by analysing or predicting his or her personal preferences, behaviours and attitudes.
The Article 29 Working Party (made up of Member State Data Protection Authorities) have also recommended that where a business may not be obliged to appoint a DPO, one should be voluntarily appointed. Their reasoning is that having a DPO in place will facilitate compliance with the GDPR and could provide a competitive advantage for a company.
Who can be a DPO?
The DPO for an organisation can be a member of staff or a consultant. They should have expert knowledge of data protection law and practices and be able to fulfil the required tasks as set out below. The level of expertise should be proportionate to the scale and complexity of the data processing activity taking place in the organisation.
An organisation may appoint a Group DPO to act for a number of undertakings provided that the DPO can easily be accessed by all entities within the group.
Tasks and position of a DPO
The GDPR sets out the minimum duties that the DPO must fulfil:
- inform and advise staff of their obligations under data protection law;
- monitor compliance with those obligations;
- promote awareness and train staff in relation to data protection and the law;
- participate in Data Protection Impact Assessments (DPIAs);
- cooperate with the Data Protection Commissioner and relevant Member State Data Protection Authorities and act as the point of contact; and
- take a risk based approach to the performance of his or her tasks, taking into consideration associated risks pertaining in the organisation.
The DPO’s position and stature within the organisation are crucially important. The GDPR requires that they be involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The Article 29 Working Party recommends that:
- the DPO be invited to participate regularly in meetings of senior and middle management;
- the DPO should be present when data protection related decisions are taken. They must have sufficient information to allow them to give advice; and
- the DPO must be informed immediately when a data breach is discovered.
Characteristics of a DPO at a glance:
- expert and current on data protection regulation;
- good understanding of the nature and structure of the business;
- good understanding of data processing activities carried out; and
- understanding of information systems and data security.
Companies should consider whether they will appoint a DPO. They should also consider whether an appointment should be made in advance of the GDPR coming into effect in May 2018 and how the DPO should be resourced, trained and positioned within the organisation.
The General Scheme of the Data Protection Bill 2017 has been published by the Department of Justice and Equality. The bill gives further effect to the Regulation under Irish law. Interestingly the General Scheme provides that ‘pursuant to Article 37.4, the Minister may…make regulations requiring controllers, processors or associations and other bodies representing categories of controllers or processors to designate a data protection officer’. It goes on to say that in making these regulations the Minister may take into consideration factors such as the nature and purposes of the processing, risks arising for the rights of individuals and the cost of implementation, amongst others.
Essentially this means that the Minister for Justice and Equality may require a broader category of organisations to appoint a DPO than the GDPR sets out. This will undoubtedly widen the net meaning GDPR will apply to more businesses than originally believed.
Grant Thornton will keep you up to date on all GDPR matters as we approach next year’s deadline for implementation.