The actual role of Data Protection Officer requires a polymath with a considerable range of skills who operates rather like a regulator within your organisation. Specifically, they must not be subject to an internal conflict of interest, as they report to the most senior level of management. Therefore a senior executive, or a solicitor from your organisation’s law firm will be unlikely to be suitable. Your CEO will be obligated to take your DPO’s advice, or document their reasons for not auctioning these recommendations, such that they can demonstrate their reasoning should it become necessary to answer to the Information Commissioners Office for any failure.
Thus even if you could find one of these paragons of multiple virtues, it would be reasonable to conclude that if you did not absolutely have to make the appointment, then you would likely choose not to do so!
The bad news for some is that the GDPR introduces a legal requirement for certain types of organisations to appoint a DPO. This of course means that the good news is that not every organisation needs to do so. That said, even where you may not be legally required to appoint one, appointing a DPO can still bring many benefits to your organisation.
If you do make a voluntary appointment, then you have the option of whether you register that person with the ICO, however you MUST do so if your organisation is of a certain type, or the data you process falls within certain categories.
The first is if you are any sort of public body, essentially any organisation that is subject to Freedom of Information requests. This therefore includes state schools and all parish and town councils.
Secondly if you have more than 250 employees – always assuming that you are either a controller or a processor of sensitive data; which most organisations of any scale will inevitably be – if only of their own staff information.
Thirdly if you are involved in systematic processing, which includes ‘large scale’ monitoring via CCTV, especially if you are monitoring the public, or using automatic number plate cameras. It is not all about digital data. Sensitive data held in paper files and on media such as memory sticks, all fall within scope of the Regulation.
Generally if you are big, and involved in the large scale processing of thousands of records, especially if profiling is automated, then you must have a DPO and register with the ICO.
If you are smaller, or out of scope in other ways, then the challenges of GDPR will still apply, and you will need the technical support that a DPO will provide, but you will not be compelled to register that service with the ICO.
Remember that size is not everything when it comes to needing a DPO. It is also down to the categories of data you process. If you do not know what categories of data you process, start by completing our threshold questionnaire or carry out an Impact Assessment.
Control or Process?
Almost the very first question to be asked within an impact assessment has to be “where is your data”? Within the modern scenario of various personal devices connected to perhaps a corporate server – in turn backing up to a remote server, or shared information services – the question may not be a simple one to answer, but it matters hugely, so answer it you must, and we will explain why.
Let us deal with definitions first. If your organisation manages and controls all its information within your own environment then you are regarded as the Data Controller and the buck stops with you – making life relatively simple.
If on the other hand you use a cloud provider or data centre where the service or server is operated by a third party that is not part of the management of your organisation, but you decide entirely on what is done with your data within that service, then you remain the Data Controller, but the other party becomes a Data Processor who must now comply on your behalf and therefore mirror all your legal requirements.
Often there may be a mixture of the two within a hybrid setup which is likely to be extremely common.
Let us now come to why it matters. Firstly because you, as the Data Controller, are legally responsible at all times for all aspects of your data, wherever it is. Secondly, because the Regulation demands that the Data Processor be contractually held equally liable should they cause a breach or any other default, notwithstanding that the Controller will also be pursued for it.
Thus it is important to be absolutely clear regarding the operational responsibility of any part of any processing activity that you are involved in – and when you really check there may be multiple examples, such as an external payroll service, HR consultants, your accountants, solicitors or marketing agency for instance, the list goes on. Thereafter GDPR requires you to have very clear contracts with all of your processors that clarify the entirely new commitment needed from them, especially when it comes to liabilities.
Indeed the location of some servers might dictate that you have to change your supplier, a complex and costly exercise even for smaller organisations.
It starts at all times with the Controller of course, and equally a professional Processor is going to quickly come up to speed with standard contractual terms that ensures that they keep their Controller clients’ business, so it is not going to be all doom and gloom, but you will find support from a DPO rather helpful when it comes to dealing with the related minefield!