Under the Data Protection Act 2018 (UK GDPR), there are three specific cases when it is mandatory for an organisation (whether a controller or processor) to appoint a single data protection officer (DPO) to facilitate their compliance with the UK GDPR:
- all public authorities and bodies (irrespective of what personal data they process) but not courts acting in their judicial authority
- organisations whose core activity is monitoring individuals regularly and systematically, on a large scale (e.g., online behavioural tracking) or
- organisations whose core activity consists of processing on a large scale special categories of personal data or personal data relating to criminal convictions and offences.
The European Data Protection Board has endorsed guidelines adopted by its predecessor, the Article 29 Working Party (EDPB), on the appointment of DPOs. Wording below in quotes and italics reflects the EDPB’s guidelines. It is likely the UK’s Information Commissioner’s Office (ICO) will follow these guidelines for a while. The ICO has also published guidance.
Are you caught by any of the above?
Public authorities and bodies
Section 7 of the UK GDPR defines what a ‘public authority’ and a ‘public body’ are for the purposes of the UK GDPR.
There is no definition of public authorities or bodies in the UK GDPR and this would need to be determined in accordance with UK laws.
In the UK, public bodies and authorities would include ministerial departments (e.g. Department for Education, Department for Transport and Department for Health), non-ministerial departments (e.g. Serious Fraud Office, Crown Prosecution Service and National Crime Agency), agencies and other public bodies (e.g. Crown Commercial Service, British Council and DVLA).
Organisations whose core activity is monitoring individuals regularly and systematically, on a large scale
This needs to be broken down as follows:
(1) core activities relate to ‘primary activities [of an organisation] and do not relate to the processing of personal data as ancillary activities’. They can include ‘key operations necessary to achieve [an organisation’s] goals’ and ‘activities where processing of data forms an inextricable part of [an organisation’s] activity’.
Paying employees and having standard IT support activities are examples of ‘necessary support functions for the organisation’s core activity or main business’ which are ‘usually considered ancillary functions rather than the core activity’.
(2) large scale is not defined in the UK GDPR and the EDPB recommends looking at the following factors:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- the volume of personal data and/or the range of different personal data items being processed
- the duration, or permanence, of the data processing activity and
- the geographical extent of the processing activity.
The EDPB gives the following examples of large-scale processing including:
- processing of patient data in the regular course of business by a hospital (but not by an individual physician)
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of customer data in the regular course of business by an insurance company or a bank and
- processing of personal data for behavioural advertising by a search engine.
(3) regular and systematic monitoring is also not defined in the UK GDPR and the EDPB guidance interprets ‘regular’ and ‘systematic’ as follows:
- regular – ongoing or occurring at particular intervals for a particular period, recurring or repeated at fixed times, constantly or periodically taking place
- systematic – occurring according to a system, pre-arranged, organised or methodical, taking place as part of a general plan for data collection and carried out as part of a strategy
The EDPB also lists the following examples that may fall within this definition: operating a telecommunications network; providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking (e.g. by mobile apps); loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices (e.g. smart meters, smart cars, home automation, etc).
Organisations whose core activity consists of processing on a large scale special categories of personal data or personal data relating to criminal convictions and offences
This is fairly straightforward as ‘special categories of personal data’ are defined in the UK GDPR (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation), and criminal convictions and offences are self-explanatory. Similar factors to those considered above for large scale processing would apply here.
If you do need to appoint a DPO, what do you need to do?
A group of companies can appoint a single DPO provided that s/he is ‘easily accessible from each establishment’. EDPB draws upon three areas of the GDPR to give guidance on what accessibility refers to, namely the tasks of the DPO as a contact point with respect to data subjects, its supervisory authority and also internally within the organisation because one of the tasks of the DPO is ‘to inform and advise [the organisation] and [its] employees who carry out processing of their [GDPR] obligations’.
Other key factors to take into account when appointing a DPO include:
- the DPO should be located in the EU, whether or not the organisation is established in the EU (but it can’t be excluded that, in some situations where an organisation has no establishment within the EU, a DPO could be based outside the EU)
- the DPO must have expert knowledge of data protection law and practices, and have the ability to carry out the tasks set out in the UK GDPR
- the DPO’s level of experience must be commensurate with the sensitivity, complexity and amount of personal data that an organisation processes
- the DPO must be capable of performing the tasks which the UK GDPR requires it to be responsible for (e.g. advising on data protection impact assessments, co-operating with the ICO, and advising on the organisations’ obligations under the UK GDPR and monitoring its compliance)
- the DPO must be sufficiently senior within the organisation but at the same time they must be able to perform their duties and tasks independently and must not be directed by senior management on how to deal with a matter, or required to take a certain view on a UK GDPR issue and
- the organisation remains responsible for its compliance with the UK GDPR – responsibility does not fall to the DPO.
If you don’t need to appoint a DPO, should you appoint one on a voluntary basis?
Both the ICO and the EDPB encourage designating a DPO on a voluntary basis. However, if you do this then you will be required to comply with the above requirements.
Guidance from the EDPB states ‘Nothing prevents an organisation, which is not legally required to designate a DPO and does not wish to designate a DPO on a voluntary basis …. to nevertheless employ staff or outside consultants with tasks relating to the protection of personal data. In this case it is important to ensure that there is no confusion regarding their title, status, position and tasks. Therefore, it should be made clear, in any communications within the company, as well as with data protection authorities, data subjects, and the public at large, that the title of this individual or consultant is not a ‘data protection officer’.
If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it is good practice to record this decision to help demonstrate compliance with the accountability principle.
What should you do now?
Decide if you need to appoint a DPO. If you do, ensure that your DPO has the expertise and skills required by the UK GDPR to fulfil their role – too often existing employees who have no prior experience or knowledge of data protection laws are given this role. Their contract of employment or service contract will need to contain information aligned to the UK GDPR including in relation to their role, what resources will be made available to them to support them, and their tasks (including their independent status).
If you are unsure as to whether you need to appoint a DPO and would like further advice, please contact us.
If you do appoint a DPO, you need to:
- publish your DPO’s contact details including postal address, email and telephone number (e.g., in your privacy notices) (although there is no requirement to publish their name) and
- communicate those contact details to the relevant supervisory authorities.
Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.