On 26 May 2018 the General Data Protection Regulations (‘GDPR’) will be enforced in the UK. Organisations must decide before this date if they need to appoint a DPO voluntarily, or if there is no need at all.
GDPR states that:-
- Public authorities;
- Businesses whose core activities include regular and systematic processing of data subjects on a large scale; or
- Businesses who are processing sensitive data on a large scale, or data relating to criminal offences/convictions,
will need a DPO. Otherwise it is up to the organisation as to what works for them.
If the activities key to your organisation’s core objectives include tracking or monitoring the behaviour of your data subjects on a regular basis, and on a large scale, you will need a DPO. Be mindful of the number of subjects, the volume or range of data, the duration or geographical extent of the processing.
Other examples where a DPO would be needed include processing personal data for behavioural advertising by a search engine or processing customer data by a bank.
A Doctor at her surgery processing her patient data would not being doing so on a large enough scale to strictly require a DPO.
Equally there would likely be no need for an employer to appoint a DPO if the sensitive data being processed is say, payroll information. Few companies will be processing data of a sensitive nature on such a scale.
The DPO should have an appropriate level of GDPR knowledge for the business and will need to take an active role in GDPR issues from the outset. This will include monitoring the organisation’s compliance at all levels.
A single DPO can be appointed for complex corporate structures so long as they are available to management, staff and the ‘data subjects’ alike. Their contact details will be made readily available and they will deal with the supervising authorities. Importantly they must be independent and cannot hold a position that leads them to determine the purpose and means of the data processing. Mandatory or Voluntary, the expectations of the DPO are the same.
A DPO is not personally liable for any breaches, the controller or processor, usually the organisation will still have to demonstrate its activities are being performed within the GDPR requirements.
If you choose not to have a DPO you should document why not. The Information Commissioner’s Office are responsible for enforcing GDPR in the UK and they can impose fines for failing to appoint.
For further advice on the best course of action for your organisation, please get in touch.