Penny Bygrave sets out what all public authorities should know about appointing a data protection officer under the GDPR.
When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, it will be mandatory for all public authorities to appoint a Data Protection Officer (DPO).
In order to comply with this requirement, it is necessary to understand how the appointment should be made; the tasks and responsibilities that the appointed individual will assume; and, the ongoing support that must be provided to the DPO by the authority.
In summary, the DPO must:
- report to the highest management level in the business (usually the board)
- operate independently and may not be dismissed or penalised for performing their data protection role
- have professional experience and expert knowledge of data protection law and practices
- be provided with adequate resources to meet their GDPR obligations
- be involved in privacy impact assessments and delivering privacy by design
What Is a Public Authority for GDPR Purposes?
Any 'public authority or body' must appoint a DPO. These terms are not defined in the GDPR, but guidance from the Information Commissioner's Office (ICO) is that if you are a public authority as defined under the Freedom of Information Act 2000, it is likely that you will be a public authority for the purposes of the GDPR.
If you are unsure whether your organisation is a public authority for these purposes, please get in touch with us.
Who to appoint as DPO?
The GDPR does not specify the precise credentials that a DPO must have. However, it does require that they should have appropriate professional experience and expert knowledge of data protection law.
The level of experience should be proportionate in light of the organisation’s activities, but 'expert' is a fairly high threshold. ICO Guidelines state that sensitivity, complexity and the amount of data processed within an organisation will impact the expertise required for a DPO and a sufficient understanding of operations, as well as information systems, data security and data protection needs of the controller is recommended.
For many organisations, it will be challenging to find an existing employee who satisfies the requirements of being a DPO. This may mean that such organisations have to engage outside consultants, at potentially significant expense. Further, care should be taken if allocating the role to an existing member of staff to ensure the requirement for independence is not compromised.
The ICO Guidelines clarify that a single DPO can be appointed for a corporate group (or several entities within a group) provided that he or she is easily accessible from each business location for which he or she is responsible. This is a welcome development for organisations, but it will be important to ensure that such a DPO is provided with sufficient resources to perform the role.
Tasks to be undertaken by a DPO
The GDPR sets out a non-exhaustive list of tasks that a DPO must carry out. As a minimum, the DPO must:
- inform and advise you and your employees involved in data processing
- monitor compliance with the GDPR and other data protection laws and your data protection polices
- raise awareness of data protection issues, training staff and conducting internal audits
- provide advice on data protection impact assessments, and monitor the process
- cooperate with the ICO and act as the ICO's point of contact for all issues relating to data processing
Ongoing support to be provided to a DPO
The GDPR sets down a number of ways in which an organisations are required to provide support to their DPO. You must ensure that the DPO:
- is involved, closely and in a timely manner, in all data protection matters
- reports to the highest management level, ie board level
- operates independently and is not dismissed or penalised for performing their tasks
- is provided adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to meet their GDPR obligations and maintain their expert level of knowledge
- is given appropriate access to personal data and processing activities and other services within your organisation so that they can receive essential support, input or information
If at any time you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.
You must publish the contact details of your DPO and provide them to the ICO. This is to enable individuals, your employees and the ICO to contact the DPO as needed. You aren’t required to include the name of the DPO when publishing their contact details but you can choose to provide this if you think it’s necessary or helpful.
Finally, it is important to remember that the DPO isn’t personally liable for data protection compliance. The public authority remains responsible for GDPR compliance. Nevertheless, the DPO clearly plays a crucial role in helping you to fulfil your organisation’s data protection obligations.
The GDPR creates an explicit requirement for public authorities to appoint a Data Protection Officer. This applies to both controllers and processors.
You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO, however, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
Organisations subject to this requirement should ensure that they understand how to a go about making the appointment, the tasks and responsibilities that will be assumed by the DPO and the duties to provide the DPO with support.