GDPR DPO and Article 37

The General Data Protection Regulation (GDPR) has been in force for a few months now, but many businesses are still struggling to achieve compliance. For non-experts, GDPR compliance projects create almost as many questions as they solve. As the GDPR supersedes the Data Protection Act 1998, everything has changed – apart from everything that hasn’t. You may well have heard of the data protection officer (DPO) before – but is the role still the same?

What does the GDPR DPO do?

The GDPR DPO is a designated individual who acts as an independent advocate in all matters that relate to personal data and data protection. The DPO liaises with data controllers and processorsto ensure that their operations are compliant with the law. Ultimately, they are tasked with helping to de-risk data collection and processing routines by ensuring the rights of the individual are upheld. In Article 37, the Regulation specifies that the DPO does not have to be an in-house employee (the role can be contracted out), but they are expected to have “expert knowledge of data protection law and practices”. This individual is the expected to carry out a number of duties outlined in Article 39, including:

  • Providing advice to your employees about compliance as they process personal data.
  • Monitor corporate compliance with GDPR and raising awareness throughout the organisation.
  • Liaise with the Information Commissioner’s Office during audits, investigations or in relation to any other data protection issue.

Fundamentally, the GDPR DPO is your primary point of contact for all things data protection. Given the importance and implications of GDPR compliance they should report directly to your senior management. They will also need to be well resourced to ensure they can properly discharge all of their duties.

Didn’t you already have a DPO?

Data protection laws are nothing new. Prior to GDPR, your business was already subject to the Data Protection Act 1998 for instance. And sure enough, the concept of a data protection officer was specified in that legislation too. Unless your business was started in the last two months, you should have had a DPO in place already.

What has changed?

In terms of the job of DPO, virtually nothing has changed since the introduction of GDPR. The DPO is still a named individual who provides advice about data protection issues within the company and liaises with the relevant authorities when issues arise. If you already have a DPO, they can continue in the role – so long as they complete additional training in the new requirements of the GDPR itself.

Do you really need a GDPR DPO?

Under the Data Protection Act, every business was required to have a designated data protection officer. Under GDPR however, this requirement has changed significantly. In fact, according to the UK’s Information Commissioner’s Office, there are only three instances in which you must appoint a DPO:

  1. You are a public authority or body (except for courts acting in their judicial capacity);
  2. Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking like Google or an adtech firm)
  3. Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This would suggest that the European Courts are only expecting the largest companies to appoint a GDPR DPO. Unfortunately, the issue is not clear-cut.

Do SMEs need a GDPR DPO?

During a panel discussion at the Infosec 2017 conference, Peter Brown, the senior technology officer of the Information Commissioner’s Office said, “I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.” It is possible that Brown was talking in relation to SMEs who have massive personal data collection operations as described above. Given the context of his statement however, it appears that the ICO expects all businesses handling personal data to appoint a DPO – even if they fall outside the requirements outlines in the GDPR. There are some clear, unarguable situations in which your business does not require a DPO:

  • Your main business activities do not involve monitoring data subjects, and you do not infringe the rights of data subjects.
  • You do not collect, store or process any special category personal information at all.
  • You only process the special category personal information of a very small group of data subjects – like the personnel data you hold for your own employees.

As with most GDPR compliance decisions, you should keep a record of how you assessed your need (or lack thereof) for a DPO in your organisation. As your business grows, or your data collection and processing routines change, you should regularly revisit this decision, appointing a DPO as soon as you meet the threshold requirements. And don't forget – choosing not to appoint a DPO does not exempt you from your GDPR compliance obligations.

Consider appointing a volunteer

If you are not technically required to appoint a DPO, you could consider inviting one of your employees to carry out the duties on a voluntary basis. This will help to raise your overall levels of compliance and avoid the significant costs of trying to hire a specialist – assuming you can find one who is available. With a volunteer in place, you can begin taking a more proactive approach to monitoring and improving GDPR compliance. There is one caveat to this approach however. Once a DPO has been appointed, the obligations outlined in Articles 37, 38 and 39 (see above) apply – even if the role is voluntary. Your volunteer DPO will have to perform the role to the same high standards as a full-time professional.

Better safe than sorry

On the balance of probabilities it would appear that your business would be well served by appointing a DPO, even if you do not meet the specific requirements laid out in the GDPR guidance. In these early days following GDPR go-live, it may be sensible to consider hiring a data protection expert, or outsourcing DPO responsibilities to a third party service provider. This approach will help you assess and improve compliance and provide you with the knowledge and experience you need to reach a baseline level of adherence to GDPR. You can then choose to take responsibilities back in house once you are more confident in your data protection processes and capabilities.

Your action plan

  • Identify whether your business has a legal duty to appoint a DPO and act accordingly.
  • Consider the type of GDPR DPO that would best benefit your business – full time employee, third party consultant, outsourced service, volunteer.
  • Give your DPO access to senior management and funding to ensure they can do their job properly.
  • Review your DPO provisions on a regular basis to ensure you remain compliant.

To learn more about achieving GDPR compliance and how Consentric can make the process of assessing and maintaining compliance easier for your DPO, please get in touch.

Ready to get started?

No setup costs or contract – start managing your customers permissions today

Sign up now