Who should appoint a Data Protection Officer?
The EU General Data Protection Regulation (GDPR) will make it mandatory for some organisations in the UK, that process the personal data of EU citizens, to appoint a Data Protection Officer (DPO).
There are widespread misconceptions about the type of organisations that come into scope of this requirement. The criteria are set out in Article 37 of the GDPR, which makes it mandatory to appoint a DPO in organisations:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
The GDPR does not define what constitutes a ‘public authority or body’. What is a ‘public authority or body’ is defined by the law of the nation and includes national, regional and local authorities. It also may include other bodies designated as public authorities.
In addition, other bodies carry out public tasks and exercise public authority, such as public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing, disciplinary bodies for regulated professions, schools and academies, libraries, state-funded museums and the NHS. There is no obligation under the GDPR that such bodies appoint a DPO but it is recommended by the EU data protection working party that they do so.
‘Core activities’ are the key operations necessary to achieve the organisation’s goals. ‘Core activities’ also include the processing of data that is impossible to separate out from the organisation’s main activity. For example, the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare without processing health data, such as patients’ health records. Therefore, processing this data is one of the hospital’s core activities and hospitals must therefore designate DPOs.
As another example, a private security company carries out the surveillance of private shopping centres and public spaces. Surveillance is the core activity of the company and they must designate a DPO.
On the other hand, all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are necessary support functions for the organisation’s main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.
If the processing of personal data is carried out on a large scale, then a DPO must be appointed. The GDPR does not define what constitutes large-scale and is intentionally vague in this regard as a precise number would not be applicable in all situations. The following factors are a guide:
- The number of data subjects concerned – how many are involved?
- The volume of data and/or the range of different data items being processed – how much data does the organisation hold?
- The duration, or permanence, of the data processing activity – how long does the organisation retain the data?
- The geographical extent of the processing activity – is this a regional, national or international organisation?
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- processing of client data by an individual lawyer or health information by a single doctor
Regular and systematic monitoring of data subjects on a large scale
The notion of regular and systematic monitoring of data subjects is not defined in the GDPR but is mentioned in explanatory recitals. The recital states that ‘monitoring the behaviour of data subjects’ clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment and online tracking should only be considered as one example of monitoring the behaviour of data subjects.
The EU Data Protection Working Party interprets ‘regular’ as meaning one or more of the following:
- Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place
It interprets ‘systematic’ as meaning one or more of the following:
- Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy
- operating a telecommunications network
- providing telecommunications services
- email retargeting
- profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money laundering)
- location tracking, for example, by mobile apps
- loyalty programs
- behavioural advertising
- monitoring of wellness, fitness and health data via wearable devices
- closed circuit television
- connected devices e.g. smart meters, smart cars, home automation, etc.
A small family business who distributes household appliances in a single town uses the services of a business whose main activity is to provide website analytics services and assistance with targeted advertising and marketing. The activities of the family business and its customers do not generate processing of data on a ‘large-scale’, considering the small number of customers and the relatively limited activities. However, the activities of the marketing company, having many customers like this small enterprise, taken together, are carrying out large-scale processing. They must therefore designate a DPO. The family business does not have to designate a DPO.
A medium-size manufacturing company subcontracts its occupational health services to an external provider, which has a large number of similar clients. This external provider shall designate a DPO provided that the processing is on a large scale. However, the manufacturer is not necessarily under an obligation to designate a DPO.
Special categories of data
Special categories of data are those that reveal a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation. The GDPR states that an organisation shall designate a data protection officer in any case where its core activities consist of processing special categories of data on a large scale.
The key here is the term ‘large scale’, which has been addressed above. The individual health-care provider will not have to appoint a DPO; however, an individual health-care provider will have to be fully GDPR compliant in terms of their policies and processes.
Organisations that process special categories of data on a large scale will have to appoint DPOs. This could include charities, trade unions, religious organisations or HR consultancies.
If you are still not sure whether or not you must appoint a DPO then you should contact the Information Commissioner’s Office for further advice.
Our extremely popular one-day course, Preparing for the General Data Protection Regulation, is a step-by-step guide to GDPR and will help you understand what you should be doing now and in the coming months to prepare for the important changes. The course will show you how to comply with the Regulation and what will change from the existing legislation. It will explain the new rules regarding the legal basis for processing, consent, privacy notices, control of personal data, mandatory breach reporting, complaints and penalties. The financial penalties for non-compliance will be very substantial so it is absolutely vital that your organisation is fully prepared as early as possible.