The GDPR introduced a new formal role of Data Protection Officer setting out expectations of its responsibilities and the support the organisation must give to that role.
However, this role is not always required, and it can be ambiguous to determine whether a DPO is needed.
Does my company need a Data Protection Officer?
You are only lawfully required to appoint a DPO if one of the following conditions are met;
- your processing is carried out as or on behalf of a public authority or body, except for courts acting in their judicial capacity; or
- your “core activities” as a data controller or data processor consist of processing operations which by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
- your “core activities” as a controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
You can read more details about these conditions, at the end of the blog.
Here at Xynics we do not recommend appointing a formal DPO unless it is necessary to do so. If one is appointed where it is not necessary, you will be obliged to respect and provide all the associated resources and obligations that come with this role. Instead, if you are not required to appoint a DPO, you should appoint a Data Compliance Manager or similarly titled role, however the role must not be titled “Data Protection Officer” as in doing so, you formalise that title and role.
The position of a Data Protection Officer/Data Compliance Manager
Whatever the title, the role of your data protection expert should include making sure all the correct policies and procedures are in place and are being followed and updated accordingly.
They will also oversee all the fundamental legal obligations required by your organisation under the GDPR, such as advising on data protection impact assessments (DPIAs), making sure staff are trained and have ongoing refresher training, and mapping and responding to data subject access requests (DSAR). They will also help your organisation identify and prioritise risks.
The GDPR expects anyone taking up these duties to be able to act independently and suitably knowledgeable (more on these below), which means keeping up to date with legislation, undertaking training courses and, if the role is not their only job, taking time out from their “day job” to fulfil these duties.
It is for these reasons that many companies are embracing the idea of an outsourced data protection expert, in order to achieve independence and compliance in a cost-effective manner.
The importance of independence.
To succeed in their role, DPOs and Data protection experts require autonomy and must act independently of corporate hierarchies, so that can conduct their duties without interference from internal parties. Acting independently, they should report to the highest level of management in the organisation to ensure that the right department receives timely advice on all data protection issues.
However tempting it may be to give this role to your Marketing Manager or another senior decision maker in the business, a DPO/Data protection expert must not be put in a position that may lead to a conflict of interest (they should not have the responsibility of deciding how and why data is processed), as this would blur the lines of accountability.
In order to achieve adequate independence, your data protection expert must be given the necessary resources, to include adequate budget, equipment and resources where required however, specific needs in these areas will vary greatly between different companies.
That is why, often the best approach to striking the balance is to appoint an independent external data protection expert.
Knowledge and understanding.
Where a Data Protection Officer or a Data protection expert is appointed, the position should be designated on the basis of professional qualities, and in particular on expert knowledge of Data Protection law and practices.
The holder of the role must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge, such as formal training in data protection law and practices, and total transparency of the businesses use of information. For them to perform the role adequately, they must fully understand everything the business does with information.
As already mentioned, they must not have any other duties or tasks that might results in a conflict of interest with Data Protection, however there may be times when this is wholly impractical, such as where your only reasonable option is to appoint that person to the role.
Providing the role holder can agree to always favour Data Protection over those other duties, this would acceptable in a smaller organisation, but they must make extra effort to document any decisions they make to demonstrate their impartiality.
Clearly maintaining expert knowledge, delivering training and support to your business and having an impartial view could be a strain on an employee and the business, which is why you may prefer to appoint an external service provider like Xynics to fulfil the formal role of Data Protection Officer, or the informal Data Compliance expert position.
Benefits of an outsource to Data Protection Expert.
· Being impartial and making those hard choices is easier if you’re not employed.
· Spread the cost of maintaining the knowledge.
· Access to knowledge “as it happens” with current case law and precedents.
· A Data Compliance Manager can cost £35k per year or more; A DPO from £50k per year. Outsourcing is very cost effective; it can be as little as 20% of the cost with 100% of the benefits.
If you would like to discuss using Xynics as your out sourced Data Protection Expert or for more information on how Xynics can help you, please contact us.
For the purposes of clarity:
Core Activities do not include Supporting Activities, and (as defined in Recital 97) means those activities your business undertakes to deliver products or services to your customers, such as Sales & Marketing, Order Processing or Credit Checking. As an organisation, you determine the need to undertake these activities to deliver your business objectives.
Supporting Activities are those activities the business must undertake in order to function, such as Invoicing, Purchasing, HR, Payroll. Note however that for a Payroll Service Provider, the processing of a client’s Payroll is a Core Activity, but the processing of their own payroll would be a Supporting Activity.
Large Scale is not defined in the GDPR (however precedents may be set in the future) but is taken to mean that the processing will be considerable and could affect a large number of individuals.
Guidance from the European Data Protection Board suggests considering;
· The number of individuals concerned - either as a specific number or as a proportion of the relevant population. For example, processing of 500,000 individuals would be large scale, or perhaps more than 25% of the potential marketplace would be large scale
· The volume of data and/or the range of different data items being processed. For example, are you processing a significant number of transactions
· The duration, or permanence, of the data processing activity. For example, will the processing occur once, and the data is then erased.
Examples of large-scale processing include:
· processing of patient data in the regular course of business by a hospital
· processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
· processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
· processing of customer data in the regular course of business by an insurance company or a bank
· processing of personal data for behavioural advertising by a search engine
· processing of data (content, traffic, location) by telephone or internet service providers
Regular and Systematic Monitoring
Means any form of regular or routine tracking or profiling of information, online or offline, based upon a pre-arranged or pre-determined methodology, plan or strategy.
The European Data Protection Board defines;
Regular as ongoing or occurring at particular intervals, or recurring or repeated at fixed times.
Systematic as occurring according to a system, pre-arranged, organised or methodical, taking place as part of a general plan for data collection, or carried out as part of a strategy.
The EU DPB also gives examples of activities that may constitute a regular and systematic monitoring of individuals:
· operating a telecommunications network;
· providing telecommunications services;
· email retargeting;
· data-driven marketing activities;
· profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering);
· location tracking, for example, by mobile apps;
· loyalty programs;
· behavioural advertising;
· monitoring of wellness, fitness and health data via wearable devices;
· closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.