In this instalment of the blog series regarding the impact of the GDPR the focus is on data protection compliance and ongoing monitoring.
Every organisation will need to designate someone to be responsible for compliance with data protection in general and the GDPR in particular.
All organisations will, therefore, need to address the question of where this role will sit within the organisation’s structure and governance.
So, does every organisation have to specifically appoint a Data Protection Officer (DPO)?
Organisations that are data controllers or data processors and hold, use or process data that is deemed to be in one of the special data categories (health records or criminal convictions for example) must mandatorily appoint a Data Protection Officer.
The GDPR regulations do however consider it best practice that every organisation voluntarily appoints a DPO.
The DPO may be either internal or external but either way it is essential that they take proper responsibility for the organisation’s data protection compliance and that they have suitable knowledge and authority to perform the role.
Where a data controller and a data processor dealing with the same data are separate entities and are required to appoint a DPO, to avoid a conflict of interest arising they must each appoint a different DPO.
The remainder of this blog will focus on the requirements the GDPR places upon data controllers and data processors about the DPO and will look at the attributes required of a DPO and the tasks a DPO is expected to undertake.
However, this blog will not cover the additional responsibilities placed on organisations involved in large-scale data processing or the control or processing of special categories of data, and it is recommended that any organisation undertaking such activities seek independent legal advice in this regard.
The DPO’s core activity is not itself the processing or control of data; it is to ensure that all data held or processed within an organisation or passed to a third party for processing is held and processed by the GDPR.
A DPO contracted to a dental practice, for example, is not there to assist with toothcare, but to ensure that the patient’s records are handled and maintained by the GDPR’s requirements.
To achieve this, ‘regular and systematic monitoring’ of the way data is held or processed should be taking place. The monitoring should be ongoing at recurring or particular intervals and should be systematic in that it follows a system or set process.
Moving on to look at the attributes required of a DPO, location is the first thing to be considered.
The DPO must be easily accessible by all parties: the data controller or the data processor they are representing, the data subjects, and the supervising authority (the Information Commissioner’s Office in the UK).
The DPO must also speak the language of the data subjects and the supervising authority. Although not stipulated in the GDPR, good practice guides suggest a level of competency in the language concerned of ILR level 3 or level 4 (professional fluency).
The appointed DPO should have expertise relevant to the data the organisation holds or processes, and business sector knowledge would be an advantage.
Professionally the DPO should have substantial knowledge of EU and national law and a thorough understanding of the GDPR.
The DPO is required to have the professional qualities and knowledge to fulfil the tasks
required of the particular organisation – which may indeed extend beyond the ‘essential’ tasks which we will come onto later.
Whenever a DPO is engaged on a service contract the following key elements are required:
- No conflicts of interest
- The ‘standard’ terms of service (consultancy) contract should apply
- A clear schedule of tasks
- Audit dates
- Frequency and scope of audits
- Whether audits are scheduled or ‘blind.’
- The training modules to be provided to the organisation’s employees by the DPO
Whether the DPO is internal or external (i.e. engaged on a ‘service’ contract), their contact details must be published and communicated to all employees, affected parties, customers and suppliers and the supervising authority.
Best practice recommends a dedicated telephone number and email address for secure communication with the DPO.
The GDPR imposes certain criteria that the engaging or employing organisation must provide to or in respect of the DPO. A brief outline of the main criteria is that:
- the DPO must be involved in all decisions relating to data protection;
- all necessary resources must be provided for the DPO to fulfil their obligations which includes but is not limited to support at board level, time to fulfil duties, and adequate support with finance, infrastructure and staff when necessary;
- the organisation is required to communicate the DPO’s contact details to all employees, along with a brief outline of the duties the DPO will be performing;
- as and when necessary the DPO should have (reasonable) access to HR, IT, and legal departments to execute their duties as DPO;
- the DPO must undertake continuous training and keep up to date with legislation and technology, which can be done through CPD, privacy forums, workshops and formal education courses – and where the DPO is an employee, the organisation has to facilitate this ongoing training.
The tasks of a DPO fall into four major categories on a day-to-day basis, as well as managing the investigation and response to data breaches, should they occur. These four categories are:
- Monitoring compliance with GDPR
- Conducting Data Protection Impact Assessments (DPIA)
- Article 35(1) states that it is the duty of the DPO to ascertain the risk of data breaches with regard to the data held or processed and to advise the organisation in this regard, as well as monitor the performance (i.e. whether it is still up to date, sufficient and appropriate) of the DPIA over time
- Article 30 (1) and (2) state that the data controller or data processor must maintain suitably and up to date records, and the DPO must monitor and control the register of data and data processing activities to ensure that the process employed by the data controller or data processor is still relevant to the data held and processed
- Training of the organisation’s employees about data protection, data protection by design (ensuring any software or software update is built around ensuring data is secure first, and all other features are built around ensuring data security) and all aspects of data privacy and data security.
The role of DPO is critical, and appointments should be made wisely and with the benefit of expert advice where there is any question.