GDPR: The Data Protection Officer cometh

Introduction

One of the key changes that the GDPR will bring about is a change to how organisations need to organise their internal governance around personal data.

Under the current Data Protection Acts, organisations are required to register with the Data Protection Commissioner – literally to tell the Regulator what they are doing with personal data – unless they can avail of a range of exemptions. The fact of the exemptions made this requirement largely meaningless for the majority of organisations in Ireland.

The GDPR has introduced the idea of a Data Protection Officer, a defined management role with responsibility for ensuring the organisation acts in compliance with the legislation. This effectively replaces the registration regime with a requirement for organisations to look inside and govern themselves more effectively when it comes to Personal Data.

Of course, it has always been good practice to have someone in your organisation with responsibility for handling Data Protection issues, in the same way as you have someone responsible for the paperclips and post-it notes. The GDPR takes this a lot further, with the risk of a fine of up to €10,000,000 or 2% of turnover if an organisation that needs to meet this requirement fails to do so.

The tasks of the DPO

Under the Regulation, a Data Protection Officer will, at the minimum, be required to:

• Inform and advise the organisation and its employees of their obligations under the Regulation and any other relevant EU or National legislation relating to data protection
• Monitor compliance with the Regulation, other data protection related laws, and with internal policies. This will include assigning responsibility for awareness raising and training of staff and conducting audits. (Note – the DPO is responsible for assigning responsibility for these functions and ensuring they are done, not actually doing them). This will include monitoring to ensure that all processing activities are documented appropriately.
• Provide advice, where requested, on data protection and privacy impact assessments. In reality, this means that the DPO will be involved in ALL impact assessments as organisations will be required under the Regulation to seek their advice when conducting a Data Protection Impact Assessment.
• Act as liaison with the Data Protection Commissioner and co-operate with them
• Act as contact point for Data Subjects when enquiring about their rights or seeking to exercise their rights, or as part of a Data Breach response.

When carrying out their tasks, the DPO will need to pay attention to the level of risk associated with the processing activities, particularly with regard to the types of data and the nature of the processing. This will mean that different industries or different types of processing will require different levels of scrutiny and oversight. It also means that DPOs will need to pay attention to how they will demonstrate the evidence of the effectiveness of the controls and processes they are monitoring.

DPOs: The Good News

The good news for Data Protection Officers is that the role comes with a lot of clout.

The DPO is a key advisory role in an organisation, providing internal guidance on the identification of and mitigation of risks to personal data privacy. They must be independent of day to day management, to the extent that they cannot receive instruction from anyone in relation to the performance of their tasks and they cannot be dismissed or penalised for carrying out their functions as a DPO. Furthermore, the organisation has to provide them with the required supports and resources to do their job, and the necessary training to maintain their expert knowledge. Failure to ensure independence or to provide supports will be an offence under the Regulation.

They also have to report directly to the highest management level in the organisation, and they have to be involved “in a timely manner” in all issues that relate to the protection of personal data. This would include business strategy, systems requirements definition, marketing planning etc., particularly when we take the principle of “privacy by design and default” into consideration. The DPO is most definitely not going to be a side-lined role in organisations, because sideling a DPO will lead to breaches of the Regulation and significant penalties.

The other good news is that the role of the DPO is not, strictly speaking, a mandatory one under the agreed text of the Regulation, except in certain circumstances. Also, the DPO role can be outsourced to an appropriately qualified contractor, or pooled among a group of related companies.

DPOs will only be required for organisations that meet the following criteria:

• You are a public authority or body, except the Courts acting in a Judicial capacity
• Your core activities involve regular and systematic monitoring of data subjects on a large scale
• Your core activities involve large scale processing of data relating to sensitive personal data, including biometric or genetic data, or data relating to criminal convictions or criminal records.
• Member State law requires a DPO to be appointed

Of course, organisations can voluntarily decide to appoint a DPO, just as today they can voluntarily decide to put someone in charge of making sure their data protection practices are compliant. It’s just that under the GDPR, that decision will carry with it some additional weight.

(As an aside: the actual drafting of Article 35 in the agreed text would appear to require organisations to be processing both special categories of data AND crime related data. This is obviously not what was intended, so expect it to be tidied up in the published text. Or interpret conservatively!)

DPO: The Carrot

The carrot for having a DPO is that you will have someone with the authority and clout to ask direct questions about what is being done with personal data in your organisation. This will inevitably highlight data protection issues and risks you will need to resolve, but it also will unearth hidden costs of handling data and may expose potential areas for cost savings. Requiring processing of personal data to be documented is a good way of getting people to think carefully about what it is they intend to do during the design phase of a project or process, which can help avoid wasted expenditure in build, test, and deployment of new products or services.

DPOs: The Bad News

The bad news about DPOs is that there is no definition of “large scale” in the Regulation, and the thresholds suggested in previous drafts (e.g. 250 staff or processing data of 5000 people per year) are gone (the 250 threshold appears elsewhere in the context of documentation of processing, but is likely to be largely meaningless in practice).

So if you have a mailing list you send emails to on a regular basis and you track the click-throughs and opens, or if you have tracking cookies on your website, chances are you have a core business activity that is regularly and systematically monitoring the behaviour of data subjects on a large scale. Or if you have an app that is measuring

Likewise, if you capture data about ethnicity, or religious or philosophical views, or physical or mental health, or run a biometric timeclock, or if you regularly ask applicants for jobs or for your services if they have any criminal convictions, or subject staff to Garda Vetting, then it’s highly likely you’ll need a DPO. (In the latter case, there are further changes in the GDPR which will affect how such data can be used which I will return to in a later article.)

Finally, the GDPR does not give certainty on what the requirements will be for the appointment of a Data Protection Officer. It will be open to Member States to create additional requirements for DPOs to be appointed through domestic legislation. As the DPO function replaces the existing registration function, it is possible that the DPC might, in the interests of efficiency of Regulatory action, ask the legislature to widen the scope of organisations that are caught by the mandatory DPO requirement, or other legislative drivers might introduce a DPO function requirement. For example, the Central Bank might elect to require all insurance brokers to appoint a DPO as part of their licensing regime.

So, while today it is simply good practice to appoint someone in your organisation to be responsible for Data Protection, under the GDPR it will be a prudent risk management approach to avoid the risk of significant penalties because your understanding of “large scale” doesn’t match the perspective of the Data Protection Authorities, or because your business suddenly falls under a requirement under potentially indirectly related Irish legislation to appoint a DPO.

DPO: The Stick

The stick for the DPO role is simple: failure to comply with the requirements of having a DPO that is performing their tasks and ensuring the relevant documentation of processes and effective controls are in place will attract a penalty of €10,000,000 or 2% of turnover.

The skills of the DPO

The Regulation sets out certain skills that a DPO should have, starting with an “expert knowledge of data protection law” and an ability to inform and advise senior management, conduct privacy impact assessments, advise on risk assessments, and a range of other “soft” and “hard” skills, including an understanding of the relevant technologies in use in the activities of the organisation, and their capabilities.

We’ll look again in a later article at the required skills and experience of a DPO, but for now all I will say is that there is already a shortage of qualified and experienced DPOs, particularly if you are looking for a DPO with strong information governance and risk management experience as well as expert knowledge of Data Protection law.

Outsourcing to a contract DPO is a valid approach to addressing this skills gap for your organisation, but I would advise anyone going down this route to think carefully about what they expect from an outsourced DPO and engage appropriate supports. I’d draw the analogy with the fitness industry: on one end of the scale there are the “exercise at home” gadgets, while at the other end of the scale are the personalised coaches who try to teach you to govern your own fitness regime. A key lesson from the world of Data Quality and Information Governance is that tools and technologies don’t deliver the needed change, just like an Ab-blaster 9000 won’t get you fit.

ClouDPO