A version of this article aimed at Schools appeared in our October Schools' Newsletter.
One of the areas of the General Data Protection Regulation (GDPR) which most exercised medium-sized organisations during consultation (especially those hovering around the 250 staff mark) was the question of whether they would be caught by the new requirement for a mandatory Data Protection Officer (DPO). In the end, the relevant wording of Article 37 in the final GDPR text did away with the “size” test in favour of a more purposive test – but hence a less certain one, at least in the private sector.
What is clear is that public authorities will need a DPO. However, as is a problem in so many areas, due to a lack of a harmonised or autonomous EU concept of “public body”, the term is not defined in the GDPR and will mean something different in every EU country. It is perhaps too much to hope that a “mid-Brexiting” UK government will be sufficiently on-the-ball to create a definitive list, as exists for the Freedom of Information Act 2000 (FOIA). Institutions which are already on the FOIA list can safely assume the DPO requirement will bite on them, as can maintained schools.
As a point of best practice – or a practical necessity – many organisations already have a designated person with the role “data protection officer” (still sometimes erroneously called a “data controller” – a title which in fact properly refers to the organisation itself). Most obviously this phenomenon can be observed in schools and NHS Trusts, but also occurs in the private sector. However, although this role can already add considerably to the administrative burden of the individual (overseeing policy and training, dealing with subject access requests and breaches as they occur, etc.), the turbo-charged job specification of the DPO set out in the GDPR pushes the role to a higher operational level – and brings with it HR headaches.
For clarity: while we are still awaiting secondary supporting legislation and statutory guidance on various issues (which is no doubt well down the list of priorities in the build-up to Brexit), the GDPR will almost certainly come into effect here on 25 May 2018 regardless of the referendum result. It is then likely to remain on the statute books even after the formalities of leaving the European Union, or be replaced in time by something of a similar standard.
While it remains an arguable point as to whether every last detail of the GDPR needs to be aped in domestic law for the EU to consider the UK an “adequate” data trading partner, we cannot rely at this stage on any expectation that the burden will be lightened.
First, then: what are the expectations of the new DPO role?
• The DPO must be “properly involved”, and indeed promptly involved, in all issues related to the protection of personal data at the organisation – from drafting policy, to direct marketing, to dealing with requests from individuals.
• There is a requirement for “expert knowledge of data protection law”. This, notably, is not a requirement of IT expertise (although that might help – and some have argued this ought to be a given in 2018!). However, it connotes a legal and practical understanding of how the law protects the privacy rights of individuals – and a DPO must be appointed “on the basis of professional qualities”, not simply appointed within the organisation based on who is willing to take on the role.
• The DPO can however be an existing member of staff, or appointed to take on more than one role (legal, admin, governance, IT etc.). Data privacy and record handling must be an area of expertise, but provided the DPO’s ability to function in the role is not compromised (or indeed conflicted), it does not have to be his/her sole responsibility.
• Alternatively, a DPO can be contracted in – “outsourced”, in effect. This will require providing the outsider with full and unfettered access to the organisation’s data, and so will have to be robustly supported by contractual confidentiality.
• The DPO must have clout in their organisation. They need to report to the highest level of management – the board, the trustees – and organisations are legally obliged to give them support, training and resources.
• When appointed, the DPO’s details must be published and notified to the Information Commissioner (ICO).
The final, most controversial, facet is that a DPO must have a degree of independence from his/her employer. Ultimately the DPO’s duties are as much to the ICO and to the public (the organisation’s “data subjects”) as they are to their employer or paymaster. While we cannot say if DPOs in the UK will have the same robust, whistleblower-style job protections they already enjoy in Germany, it is clear in the GDPR text that DPOs “shall not be dismissed or penalised… for performing his [or her] tasks” and should not “receive any instructions” in how to carry them out.
In practice that definition of “instructions” may need to be explored, but it does raise worrying questions about how far DPOs should be left free to manage responses to requests for information (subject access requests) – which cause enough headaches for data controllers as it is – and what would be the practical consequences for a data controller if it chose to ignore the DPO’s advice about what documents must be disclosed.
Secondly, will your organisation legally require one?
• As above, for public authorities the question is a relatively simple one. In practice there may be a question as to whether each affiliated body – every state school, say, or NHS trust – will have their own DPO, or if the local authority will centralise the role (and if so, where that will leave free schools wishing to stay at arm’s length).
• Similarly, a multi-national, group of companies or wider foundation which meets the DPO requirement threshold will not necessarily need to appoint a DPO for every entity in their network: not unless the role is simply too big for one individual.
• So, what is the test for non-public bodies? It is one of purpose and circumstance; either
(i) do your “core activities” consist of either large-scale, systematic or regular monitoring of individuals?; or
(ii) do your “core activities” relate to large-scale processing of “special categories” of personal data? (this corresponds to sensitive personal data under the present law, e.g. health, sexual life, ethnicity, religion – and criminal allegations or convictions would also apply).
Many organisations will typically handle a good deal of sensitive personal information, or carry out a degree of monitoring – notably of staff, in both cases – but it may not be their core activity. Nor do we presently have a measurable concept of what “large scale” means. We therefore await ICO Guidance on this point (there will also be central EU guidance, but its application post-Brexit is to be questioned even if we have adopted the GDPR in full). However, it seems reasonable to assume it might apply to those in the data analytics business; those who offer wealth screening, corporate intelligence or cloud storage; and those whose core functions are to monitor and assess individual performance, or who regularly conduct medical or biometric tests (sports governing bodies, for example).
Thirdly: if you choose to have a designated DPO, or maintain a DPO-style role at your organisation, as a matter of discretion – even if it is not clear whether you strictly require one by law – are you still going to be held to the higher standard of the GDPR?
To set the scene: there is scope for what you might call discretionary DPOs, and it will be sensible for most organisations to want to delegate someone to take on data protection responsibilities. However, given the stiff standards of professional qualification and independence set out above for DPOs, you may be forgiven for asking: would we want to risk exposing ourselves to that level of potential grief and admin, if it is not a strict legal requirement? Or can we simply call him/her something else (e.g. “Data Admin” or “Compliance Officer”) and not notify the appointment to the ICO?
Until we receive ICO Guidance, this must be a matter of speculation. But we can say the following based on existing legal and regulatory principles:
(i) the DPO is intended to safeguard and monitor those organisations involved in a higher threshold of core, large-scale “data processing” activity. If your orgainsation does not, as a matter of law, meet the statutory definition of requiring a DPO, it would be illogical and inequitable to hold you to that strict legal standard;
(ii) however, if you wish to enjoy the regulatory protections accorded by a DPO (e.g. to point to your DPO as an example of “best practice” standard of data privacy compliance in your organisation, for example in case of investigation or enforcement), you cannot expect to be able to point to this appointment as an example of gold-standard governance if in practice that person does not have the support, expertise, protection and independence of a “real” DPO; and
(iii) the appointment of such a “quasi-DPO”, particularly if within one’s own workforce, will lead to many practical employment and HR questions in terms of what access, support and job protection that person can expect. Therefore the role and its limitations will have to be clearly defined to manage the individual’s expectations as well as for legal / regulatory clarity.
Where, then, does this leave the sector? Eagerly (or fearfully) awaiting ICO guidance, for one thing. It may be that the regulator will acknowledge that many organisations have important and sensitive “non-core” data processing activities, and will have a legitimate interest – but not a strict legal obligation – in appointing such a person, and should not be discouraged from doing so by heavy-handed regulation. This in turn may lead to a more “light touch” regime of compliance officers whose duties and skills are set out as a matter of good practice, rather than by strict requirement. But a hope for common sense to prevail is often a vain one.
The threat of imminent higher regulatory and employment standards should not deter you from delegating a competent and appropriate person at you organisation for handling data protection responsibilities, nor from giving them proper training and support. Even in the current regime, that should be a best practice consideration and will be a considerable practical boon whenever an incident happens (a difficult person requiring information, or a breach which leads to an investigation, say).
However, it would seem sensible to hold fire on making any additional appointments until we have guidance on what is expected come the morning of 25 May 2018.
If you require further information on anything covered in this briefing please contact Paul Jones (firstname.lastname@example.org; 020 3375 7254), Owen O’Rorke (email@example.com; or 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Data Protection page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, October 2016