[The information below is based on the wording of the GDPR and Article 29 Working Party’s (“WP29”) guidance note. The UK will implement the GDPR through the Data Protection Act 2018: as it is still in Bill form, and is still being debated in Parliament, we may need to refresh this guidance to include any UK specific information once we know what survives to become part of the Act.]
The GDPR introduces new requirements, including the need for certain organisations to designate a data protection officer (“DPO”). An overview of the DPO role is set out below.
- What is a DPO?
A DPO is an important position in an organisation: he/she facilitates the organisation’s compliance with data protection rules.
A DPO has particular duties and responsibilities to meet (as set out below), and has the benefit of certain employment protections to enable him/her to do the job properly (also set out below).
- Which organisations need a DPO?
The GDPR sets out the organisations which must have a DPO, namely those which:
- Are a public authority;
- Carry out large scale regular and systematic monitoring of individuals (e.g. online behaviour tracking); or
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The GDPR does not define what constitutes a ‘public authority’, so the Data Protection Act 2018 will define what a ‘public authority’ in the UK is.
As the Bill reads at the moment, a ‘public authority’ is as defined by the Freedom of Information Act 2000. The Freedom of Information Act 2000 says that a public authority includes the governing body of a maintained school or a maintained nursery school, the proprietor of an Academy (i.e. an Academy Trust), and a further education sector institution. It is therefore likely that these institutions will be public authorities for data protection purposes, and will thus require a DPO.
The WP29 says that organisations should document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly. This analysis should be updated when necessary, for instance if the organisation undertakes new activities/services that might fall within the requirements.
Even if an organisation is not required to have a DPO, they can still decide to designate one.
- What does a DPO do?
The GDPR sets out the DPO’s key tasks, which includes to:
- Inform and advise the organisation / employees of their obligations;
- Monitor compliance with data protection law, including the assignment of responsibilities, awareness-raising, training of staff and related audits;
- Provide advice as regards data impact assessments;
- Cooperate with the supervisory authority [in the UK, this is the ICO];
- Be involved, properly and in a timely manner, in all issues which relate to the protection of personal data; and
- Act as the contact point for the supervisory authority [ICO].
When data is collected from data subjects (e.g. employees, customers etc) certain information must be given to them. This includes the name and contact details of the DPO. The WP29 says this should allow the DPO to be reached in an easy way, so suggests a postal address, a dedicated telephone number, and/or a dedicated e-mail address. Therefore, one of the DPO’s tasks may be to receive and respond to contact from data subjects about the processing of their data and the exercise of their rights under the GDPR.
The WP29 says that the GDPR does not require the published contact details to include the name of the DPO but it may be good practice to do so. It also recommends that an organisation informs its employees of the name and contact details of the DPO, for example publishing them internally on the organisation’s intranet, internal telephone directory, and organisational charts.
In any event, communication of the name of the DPO to the ICO is essential.
DPOs are not personally responsible in a case of non-compliance with the GDPR; it is the responsibility of the data controller or processor, meaning that the organisation as a whole will be responsible.
Appointing a DPO is a first step but DPOs must also be given sufficient autonomy and resources to carry out their tasks effectively.
- Who can be a DPO?
A DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and the ability to fulfil the DPO’s prescribed tasks (as outlined above).
The WP29 says that the required level of expertise is not strictly defined but it must be commensurate with the sensitivity, complexity and amount of data an organisation processes. Similarly, although the GDPR does not specify the professional qualities that should be considered when designating a DPO, the WP29 says that DPOs must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.
The WP29 also says that the DPO should have a good understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller. In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organisation.
The WP29 says that personal qualities of a DPO should include integrity and high professional ethics.
- Conflict of interests
The DPO can do other tasks and duties, but the organisation must ensure that any such tasks and duties do not result in a conflict of interest.
The WP29 says that conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR or head of IT) but also other roles lower down in the organisational structure if such positions or roles require decisions to be made about what happens to personal data.
For schools, we would suggest that a governor is not a suitable person to be a DPO because he/she will be involved in decisions about personal data through, for example, the setting of the data protection policy. We suggest that any director of the Academy Trust should also not be a DPO. The suitability of Local Governing Body (LGB) governors for the DPO role will depend upon their actual involvement, as determined by the scheme of delegation, and whether there is a conflict with their role. This needs to be assessed on a case by case basis but it is advisable that all governors are avoided as DPOs.
The WP29 says that, depending on the activities, size and structure of the organisation, it can be good practice for an organisation to:
- Identify the positons which would be incompatible with the function of a DPO;
- Draw up internal rules in order to avoid conflicts of interests;
- Include a more general explanation about conflicts of interests;
- Declare that their DPO has no conflict of interests as a way of raising awareness of this requirement; and
- Include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the positon of DPO or the service contract (if outsourcing) is sufficiently precise and detailed in order to avoid a conflict of interests.
To avoid conflict, the DPO should not be an employee on a short or fixed term contract.
- How to manage a DPO
The GDPR sets out conditions for the DPO’s appointment and position.
A minimum term of appointment and strict conditions for dismissal must be set out by the organisation for a DPO post.
The DPO should not receive any instructions regarding the exercise of his/her tasks. This could arise if someone tells the DPO what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. The WP29 says that the DPO must not be instructed to take a certain view on an issue, for example a particular interpretation of the law.
The DPO should report to the highest management level of the organisation. The WP29 says that the organisation should ensure, for example, that the DPO is invited to participate regularly in meetings of senior and middle management. The DPO’s presence is also recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice.
The opinion of the DPO must always be given due weight. In case of disagreement, the WP29 recommends, as good practice, to document the reasons for not following the DPO’s advice. If the organisation makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO should be given the possibility to make his/her dissenting opinion clear to the highest management level and to those making the decisions.
- Can a DPO be disciplined / dismissed?
The DPO must not be dismissed or penalised for performing his/her duties as a DPO. For example, if a DPO considers that a particular processing is likely to result in a high risk and advises the organisation to carry out a data protection impact assessment but the organisation does not agree, then the DPO cannot be dismissed for providing this advice.
The prohibited penalties against a DPO can take a variety of forms and may be direct or indirect. For example, penalties may be an absence or delay of promotion; prevention from career advancement; or denial from benefits that other employees receive etc. The WP29 says that a mere threat of these penalties is a sufficient breach if they are used to penalise the DPO on grounds related to his/her DPO activities.
The WP29 says a DPO can still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, due to theft, physical, psychological or sexual harassment, or similar gross misconduct).
The GDPR does not specify how and when a DPO can be dismissed or replaced by another person. However, the WP29 says that the more stable a DPO’s contract is, and the more guarantees exist against unfair dismissal, the more likely they will be able to act in an independent manner.
- Can several undertakings designate one DPO?
The GDPR allows a group of undertakings to designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The WP29 says that the availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects can contact the DPO.
- Can the DPO role be outsourced?
A DPO can be an external service provider. This would be arranged by way of a service contract. If an external DPO is used, the same protections apply. For example, there must not be an unfair termination of the service contract for activities as DPO.
The WP29 says several individuals, working in a team, can combine their skills/strengths to more efficiently serve their clients. It is recommended to have a clear allocation of tasks within the DPO team and to assign a single individual as a lead contact and person ‘in charge’ for each client. It would generally also be useful to specify these points in the service contract.
Therefore, although organisations can outsource the DPO role (i.e. by appointing an external person or buying into a service) these organisations will be in high demand. It is also important to mindful of the quality of the person appointed.
Sources of information:
Key parts of the GDPR in relation to DPOs:
- Article 37 (sets out when an organisation must appoint a DPO);
- Article 38 (sets out the position of a DPO);
- Article 39 (sets out a DPO’s tasks)
Key parts of the Data Protection Bill (as it currently stands) in relation to DPOs:
- Section 66 (states that the information given to the data subject must include the name and contact details of the DPO);
- Section 67 (sets out when an organisation must appoint a DPO – similar to Article 37 of the GDPR);
- Section 68 (sets out position of the DPO – similar to Article 38 of the GDPR); and
- Section 69 (sets out the DPO’s tasks – similar to Article 39 of the GDPR).
The Article 29 Data Protection Working Party ‘Guidelines on Data Protection Officers’:
This was last revised and adopted on 5 April 2017. The working party is an independent European advisory body on data protection and privacy.