GDPR: Do I Need a Data Protection Officer?

Sean Stuttaford, Chief Operating Officer and Data Protection Officer (DPO) at Thompson Smith and Puxon, discusses the role of a DPO when the GDPR comes into force in May 2018.

I was recently asked whether there are some roles in an organisation that would be deemed unsuitable to be appointed as a DPO because a conflict might exist. The Article 29 Working Group Guidelines on Data Protection Officers ('DPOs') paper, in particular Section 3.5 (p. 16), seems to suggest that this may be the case as follows:

“As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments)”.

However the ICO,  which interprets the regulation and incorporates it into UK law, differs slightly in its views  as well as its guidance.

Firstly:

You may not HAVE to appoint a DPO at all.  The phrase “LARGE SCALE” is key. It is only mandatory if you:

• are a public authority (except for courts acting in their judicial capacity)
• carry out large scale systematic monitoring of individuals (for example, online behaviour tracking), or
• carry out large scale processing of special categories of data or data relating to criminal convictions and offences

Secondly:

If you feel that you DO require a DPO then you must ensure only that:

• the DPO reports to the highest management level of your organisation – i.e. board level
• the DPO operates independently and is not dismissed or penalised for performing their task
• adequate resources are provided to enable DPOs to meet their GDPR obligations

Thirdly:

In terms of who can be your DPO, the ICO gives far more general guidance than the Working Party document that allows for a greater freedom of interpretation:

• “as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests”, then you can appoint anyone as your DPO, and
• the GDPR does not specify the precise credentials a data protection officer is expected to have either, but it does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires

In summary then:

Yes, the Working Group paper does provide some very specific roles that should, in their opinion, be precluded from DPO appointments, but the UK’s independent regulatory body is prepared to be far more pragmatic about the appointments of DPOs, and don’t forget it is the ICO that will interpret the GDPR regulations and bring them into law.

I have directly followed up with representatives of the ICO and discussed this difference in guidance with them. In short they agree that it may be difficult to have a “one size fits all” attitude to DPOs.

They are aware that they are more relaxed about their guidance on who may or may not be a DPO, but this has been a conscious decision. The ICO feels that it is up to organisations themselves to risk assess and appoint a person that they feel is appropriate. The ICO believes that an organisation should undergo an exercise whereby they agree some criteria that are compatible with the ICO guidance on DPO appointments and document that process. As long as an organisation can back up their choice of DPO with a documented process and risk assessment evidence, they believe that this will be sufficient.

However, they did say that once the GDPR is in place, if there is empirical evidence provided over time that a certain role is a high risk or inappropriate for appointment as a DPO, they may refresh their guidance in this area.

For now, as with much of the GDPR, organisations have the freedom to undertake a fair and honest process of balancing out how best to protect the rights of individuals while being proportionate to the risks involved with the operations of an organisation. In short, you probably know your organisations and know where the risks are…. just make sure you document your decision making process!

The content of this briefing is for information only and does not constitute legal advice. We recommend that specific professional advice is obtained on any particular matter. We do not accept responsibility for any loss arising as a result of the use of the information contained in this briefing.