The General Data Protection Regulation is here to stay: well beyond the date of Brexit. What do you need to know?
The clock has started ticking on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General Data Protection Regulation (GDPR) will take effect on 25 May 2018. The government has confirmed that GDPR is here to stay; well beyond the date when the UK finally leaves the EU.
With some GDPR breaches carrying fines of up to 4% of global annual turnover or €20m, now is the time to start advising clients on implementation (here is a summary of the main provisions).
Section 4 of the GDPR introduces a statutory position of data protection officer (DPO) who will have a key role in ensuring GDPR compliance. But who exactly will need a DPO and what is their role? The Article 29 Data Protection Working Party has now clarified this in its guidance (the A29 guidance) and a useful FAQ.
Who needs a DPO?
For the first time data controllers as well as data processors are required to appoint a DPO in three situations (article 37(1)):
a) where the processing is carried out by a public authority or body
Public authorities and bodies are not defined in the legislation. The guidance says this is a matter for national law. It is fair to say that all bodies subject to the Freedom of Information Act or the Freedom of Information (Scotland) Act will be covered by this requirement – for example councils, government departments, the health sector, schools and emergency services. However, it is likely also to cover private companies that carry out public functions or deliver public services in the areas of water, transport, energy, housing and so on (see Fish Legal v Information Commissioner and others  UKUT 0052 (AAC), which considers the definition of ‘public authorities’ under the Environmental Information Regulations 2004).
Private companies not involved in public functions or delivering services will only need to appoint a DPO if they engage in certain types of data processing operations explained in article 37.
b) where the core activities of the controller or the processor consist of processing operations which require systematic monitoring of data subjects on a large scale
Companies whose activities involve processing personal data on a large scale for the purposes of behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programmes, running CCTV systems, monitoring smart meters and so on will be caught by the DPO requirement.
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
Special categories of data are broadly the same as sensitive personal data under the Data Protection Act 1998 – for example ethnic origin, political opinions, religious beliefs and health data. This provision will cover, among other things, polling companies, trade unions and cloud providers storing patient records.
Unless obvious, organisations that do not need to appoint a DPO should keep records of their decision-making process. The A29 guidance suggests that it will be good practice to appoint a DPO in some cases – for example, where private organisations carry out public tasks. This could include companies delivering core public services under an outsourcing arrangement – for example housing maintenance companies or charities delivering social services. A group of undertakings may appoint a single DPO provided that they are easily accessible and there are no conflicts of interest.
Even organisations not based in the EU may be caught by GDPR and the requirement to appoint a DPO. GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviour of citizens residing within the EU. Companies are now directly responsible for data protection compliance wherever they are based (and not just their EU-based offices) as long as they are processing the personal data of EU citizens.
According to article 37(5), the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in article 39. These are:
- to inform and advise the controller or the processor and the employees who are processing personal data of their obligations pursuant to this regulation;
- to monitor compliance with this regulation, including the assignment of responsibilities, awareness-raising and training of staff involved in the processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to article 35;
- to cooperate with the supervisory authority (the ICO in the UK); and
- to act as the contact point for the supervisory authority on issues related to the processing of personal data.
The A29 guidance states: ‘Although article 37 does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.’
The necessary level of knowledge should be determined according to the operations carried out and the protection required for the data being processed. For example, where a data processing activity is complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support. The necessary skills and expertise include:
- expertise in national and European data protection laws and practices, including in-depth understanding of: the GDPR; the processing operations carried out; information technologies and data security; and knowledge of the business sector and the organisation;
- the ability to promote a data protection culture within the organisation.
Officially there is no formal qualification for DPOs to undertake before commencing their role (although some training companies, including my own, offer certificated courses to help potential DPOs acquire the above-mentioned skills and expertise).
The DPO must be allowed to perform tasks in an independent manner and should not receive any instructions regarding the exercise of their tasks. They report to the highest management level in the organisation and cannot be dismissed or penalised for doing their job.
The DPO can be a staff member or contractor. This provides an opportunity for law firms to offer this service to clients, as long as there is no conflict of interest.
Article 38(2) of the GDPR requires the organisation to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’. The A29 guidance says that, depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:
- active support of the DPO’s function by senior management;
- sufficient time for DPOs to fulfil their duties;
- adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff;
- official communication of the designation of the DPO to all staff;
- access to other services within the organisation so that DPOs can receive essential support, input or information from those other services; and
- continuous training.
Some say 28,000 DPOs will be required in the UK and US and that there will be a skills shortage.
GDPR presents many marketing opportunities for law firms with data protection expertise.
Ibrahim Hasan is a solicitor and director of Act Now Training