Almost a year on from the implementation of the GDPR, this is a question that organisations ask us all the time. The nightmare scenario is this:
It is 6am and the ICO van screeches to a halt outside your company’s front door. Out jumps a team of burly investigators in their official ICO wind-breakers, armed with a battering-ram and demanding to talk to your DPO immediately. They want to check whether the DPO’s expert knowledge of data protection law and practices is up to scratch. They will do this by asking the poor DPO a set of really hard questions about data protection.
“Where and when was the first ever data protection law enacted?”
“Name all 22 of a Data Protection Supervisory Authority’s tasks and all 25 of the European Data Protection Board’s tasks.”
“List all the countries of the world that the EC considers to be ‘inadequate’ in data protection terms.”
“Why is there such a thing as a ‘pseudonym’ but not ‘anonym’?”
And on it goes all night. The required pass-rate is 100%. But then it occurs to you.
“I don’t have a DPO – I didn’t think I needed one.”
“Ignorance of the law is no excuse, sonny, come with me.”
And you’re trundled off for re-education at the ICO’s heavily fortified eagle’s nest in darkest Cheshire. You will never to be allowed to process personal information ever again…
As is often the case under the GDPR, not appointing a DPO when required to do so can result in a big fine – up to around £8.5M or 2% of total worldwide annual turnover – but the way the GDPR is framed means that it in many cases it is not clear whether an organisation has to appoint a DPO or not. Understandably, this can lead to uncertainty and in some cases to organisations appointing a DPO when they may not have to, and vice versa. But this isn’t just about legal compliance but rather about how organisations go about developing a culture of respect for personal information and the human resources and organisational structures that they need to do this.
The thresholds for appointing a DPO
When the GDPR was being negotiated and its text finalised, the legislators tried to introduce a ‘risk-based approach’. This is an approach many data protection regulators – particularly the ICO here in the UK – have tried to follow, and it is reflected in the GDPR’s requirement for appointing a DPO. The requirement is aimed at public sector bodies, because of the significance of the information they can hold and its potential effect of people – crime, taxation, health, access to benefits and so forth. It is also aimed at those organisations whose activities involve the ‘regular and systematic monitoring’ of individuals on a ‘large scale’ and at those whose ‘core activities’ consist of the ‘large scale’ processing of special category data or data about criminal convictions/offences.
It is clear therefore that the GDPR does not require all organisations to appoint a DPO, but the criteria for appointing one– in italics above – are far from clear. There is some Art.29 WP / EDPB guidance about this but it doesn’t help much. For example, a retail bank with a million customers will routinely monitor its customers’ accounts for fraud prevention and various other purposes. It seems clear in this case that the appointment of a DPO will be required. But what about a small wealth-management company with just a hundred or so clients? It would still be carrying out the regular and systematic monitoring of its clients’ accounts but presumably not on a large scale – if so, it would not have to appoint a DPO. However, even though the scale may be different, the data privacy issues that the two organisations have to deal with will be much the same. This supports the argument that the main issue is not whether to appoint a DPO, but rather to make sure that an effective data privacy function is in place.
The ‘baggage’ that goes with a DPO
Some organisations have been frightened to appoint a DPO, for a number of reasons. There is a fear that an independent DPO could be too independent and could side with the subjects of the personal information, at the expense of the organisation that collects the information and that pays the DPO’s – probably considerable – salary. The DPO could become a whistle-blowing ‘enemy within’ type person – a role that companies,in the UK at least – may view with suspicion. There is also a fear that a DPO could be virtually un-sackable, a bit like Trades Union officials in some EU countries. The fact that a DPO cannot be given any instruction as to how to carry out its data protection tasks can exacerbate this issue. A literal reading of the GDPR suggests that even if a DPO performs its data protection tasks incompetently, the DPO still cannot be sacked.
Then there is the problem of finding a DPO with the ‘expert knowledge of data protection law and practices’ that the GDPR requires, plus the ability to carry out the very extensive list of ‘tasks of the DPO’ - this is no easy job description - and to be given the necessary support and resources to do all this and to report directly to the ‘highest management level’. This is all a very big ask and it is not surprising that some organisation that may be required to appoint a DPO have been in two minds about doing so.
Conflicts of interest?
Some organisations that have decided to appoint a DPO may have concerns over possible conflicts of interest. The GDPR says that a DPO can fulfil other tasks and duties. This is welcome as many organisations that want a DPO do not want a full-time one, as workloads do not warrant that.
The GDPR then goes on to say that any such tasks and duties must not result in a conflict of interests. There is some Art.29 Working Party / EDPB guidance on this. It says that: “As a rule of thumb, conflicting positions may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.”
Most DPOs seem to be from legal/compliance or IT backgrounds and tend to be fairly senior in terms of management structure, and their appointment could involve as conflict of interest if – for example a DPO is also Depute Head of IT and makes decisions about the procurement of equipment, which in turn has an effect on how personal information is collected and used.
This is (another) very grey area of the GDPR and rather than looking at possible conflict of roles, the best bet might be to make sure any DPO role that is created is clearly defined in terms of duties, responsibilities and reporting lines and that there is an effective ‘Chinese wall’ between the DPO role and other duties the individual concerned may be expected to perform. Again, the development of a privacy team rather than the appointment of an ‘official DPO’ might circumvent the conflict of interest problem. In many ways it is better to have people involved in decisions about data privacy who are also involved in making decisions about marketing, the collection of information about employees, the retention of customer transaction details and so forth. Rather than presenting a conflict of interest, this can help to embed data privacy as part of mainstream corporate life.
What will a regulator do?
We cannot predict with any certainty how the ICO, other regulators, the EDPB or the Courts will rule in respect of the duty for certain organisation to appoint a DPO. My own experience would suggest that regulators are unlikely to take action in respect of the non-appointment of a DPO unless a) the organisation is clearly required to appoint a DPO, b) there is no alternative data privacy function in place and c) this is an aggravating factor in a wider compliance failure – e.g. a failure to report a notifiable data breach to the regulator. It is unlikely that a regulator would knock on an organisation’s door and demand to assess a DPO’s ‘expert knowledge of data protection law and practices’ – how would it do this anyway?
When the GDPR was being negotiated, neither the ICO not HM Government were that keen on the requirement to appoint a DPO. Historically the ICO (and UK regulators more generally) have focused on compliance outcomes rather than checking on how organisations approach compliance. The latter has generally been considered overly prescriptive and is very much part of a continental approach to data protection (and to regulation more generally). The ICO argued that in many cases a ‘privacy team’ – as some tech companies have - can be a more effective means of managing data privacy risk than the appointment of an ‘official DPO’, but the ICO/HMG lost that argument and an approach based very much on the model in place in Germany and France prevailed.
So, what should you do about appointing a DPO?
But regardless of your view on the DPO debate, the GDPR makes it clear that many organisations will are required to appoint an ‘official DPO’, with all the characteristics set out in the law. However, for many other organisations it is still not clear whether or not they need to appoint a DPO. These organisations should focus on having an effective privacy function in place, with knowledgeable staff, good corporate ‘visibility’ and the resource needed to carry out the role. There is no need to go ‘over the top’.
For relatively low-risk organisations, the regulator will expect to see evidence that data privacy is being taken seriously. If an organisation does suffer a breach then it will stand it in good stead to be able to demonstrate that there is a functioning internal data privacy function, or at least access to reliable advice from a third-party source. What the regulator wants to see is an organisation that has acknowledged the importance of personal information as a corporate risk-factor, and has access to the expertise needed to carry out day-to-day data privacy compliance functions competently, to instil good practice and to act appropriately if something does go wrong.