DPO as a service
The DPO ‘Primer’
What does a DPO do?
The Data Protection Officer (DPO) is a formally recognised job role in the GDPR, whose key functions include to;
- inform and advise the organisation and its employees
- monitor compliance with both the GDPR and the organisation’s policies
- direct and/or assist with the assignment of privacy related responsibilities
- raise awareness and train personnel
- cooperate with supervisory authorities e.g. the Information Commissioner
- be the ‘go to’ person and point of contact
Do we need a DPO?
The law does not require organisations to appoint a DPO unless specific conditions are met.
A DPO is ALWAYS required for a Public Authority or Body. Not sure if you are one? The Data Protection Act 2018 will tell you (i)
If your organisation is NOT a Public Authority or Body you need to ascertain whether your organisation’s CORE ACTIVITIES i.e. the primary business activities, either;
- require regular and systematic monitoring of data subjects on a large scale, OR
- consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
If NEITHER of the above, then you are not required to appoint a person in the formal role of DPO. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO, the same requirements of the position and tasks apply had the appointment been mandatory (ii)
The UK Information Commissioner has developed a short (5 minute) questionnaire to help determine whether you need to appoint a DPO (iii). Unfortunately, there is no guidance on the key phrase ‘large scale’ so save yourself some time!
What is Large Scale?
‘Large Scale’ was defined in the Draft version of GDPR as 5000 records, but this did not make it to the final version. Recital 91 of the GDPR has the potentially useful inclusion of ‘The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory’.
EDPB guidelines WP 243 rev.01 gives the following examples or large scale processing;
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via
- travel cards)
- processing of real time geo-location data of customers of an international fast food chain for
- statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a
- bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers
What is regular and systematic monitoring?
‘Regular and systematic monitoring’ of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising.
Companies that employ technology like Hotjar to develop web profiles and lead scoring algorithms will be employing ‘regular and systematic monitoring’.
OK, we need one. Who can be our DPO?
The DPO MUST be chosen on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.
There are currently no approved schemes or qualifications, but organisations like the International Association of Privacy Professional (IAPP) has examined certification schemes e.g. the Certified Information Privacy Professional/Europe (CIPP/E) which can give a good indication of experience and knowledge.
Can the DPO be an existing member of staff? Yes, but if they hold a position within your organisation that leads him or her to determine why and how personal data is being processed, then they are RULED OUT. The law aims to ensure that there is no conflict of interests whereby the requirements of privacy become secondary to the business interests.
Great! We don’t have anyone like that. Can we contract out the role?
Yes. Just ensure that they have the same position, tasks and duties as an internally-appointed DPO.
Can we save costs by having one outsourced DPO cover all our operating division and companies?
Yes. Make sure the DPO can realistically cover a large or complex collection of organisations. You need to ensure they have the necessary resources to carry out their role and be supported with a team, if this is appropriate.
Need help? iCompli can provide outsourced DPO services – contact info@icompli.co.uk for further information
Go-to resources
The UK Information Commissioner guidance on DPOs
The EDPB (A29WP) Guidance on DPOs
1. Data Protection Act 2018 PART 2 Chapter 2 Section
ii Information Commissioner DPO Guidance
iii Should I appoint a DPO? Information Commissioner Guidance