Most law firms will escape the requirement to appoint a data protection officer under the new data protection regime coming in to force in May, the Law Society has said. However in new guidance on the looming General Data Protection Regulation (GDPR), Chancery Lane advises all firms to consider whether or not they need to appoint such an officer - and to document their analysis in the event of a challenge.
The EU-wide GDPR comes in to force on 25 May, placing new duties on organisations processing personal information. A separate Data Protection Bill is currently passing through parliament to implement the measure in domestic legislation, in place of the Data Protection Act 1998, and to extend its scope.
Under the regulation, private organisations whose ‘core activities’ involve ’regular and systematic monitoring of data subjects on a large scale’ are among the bodies required to designate a data protection officer (DPO). The officer must have ’professional experience and knowledge of data protection law’.
The guidance notes that as ’few law firms will be systematically monitoring data subjects on a large scale’, most will escape the requirement. However it warns that some firms may be processing ’special categories’ of data, for example concerning health, ethnicity or criminal convictions, for which a data protection officer is mandatory.
’If in doubt, firms may wish to appoint a DPO anyway on a voluntary basis,’ the guidance states. It also points out that DPOs are not personally responsible in the case of non-compliance, responsibility for which ‘will always remain with the firm’.
The guidance is part of a programme of support for Law Society members on GDPR, including an event in April.
Get Data Protection Ready: Down to the wire (Tues 17 April 2018, London)
The EU GDPR enforcement date of 25 May 2018 is fast approaching – is your organisation general data protection ready? With just a few months left, the Law Society is here to support you during your final and most crucial phase of compliance preparations. No matter what size your organisation is, this conference will provide you with practical tips to avoid the biggest pitfalls ahead by offering guidance from expert speakers from: the Information Commissioner's Office (ICO), the Law Society, the National Cyber Security Centre (NCSC), the Institute of Chartered Accountants in England and Wales (ICAEW) and DigitalLawUK. Book your place now.