At Teal, we’re often asked questions about whether law firms need a Data Protection Officer (DPO). In this blog, we’ll answer the question ‘what is a Data Protection Officer?’ and go through what the guidance says, when a DPO must be appointed, who can be a DPO, and the crucial role they play in ensuring GDPR compliance.
What is a Data Protection Officer (DPO)?
The primary responsibility of a Data Protection Officer is to inform and advise the organisation and staff on GDPR compliance. This comprehensive role encompasses monitoring compliance, raising awareness, training staff, conducting internal audits, and serving as the initial point of contact for supervisory authorities and individuals affected by data processing. The DPO takes centre stage in adopting a risk-based approach, concentrating on high-risk activities and actively participating from the earliest stages in decision-making processes.
Additionally, it’s important to emphasise that a DPO extends beyond their immediate responsibilities. Although not directly accountable for overall compliance – a duty retained by the data controller or processor – the DPO undeniably assumes a key role in the oversight of the implementation of the data protection strategy. Their invaluable contribution becomes instrumental in ensuring the organisation fulfils its data protection obligations, thereby setting up a solid foundation for a robust and compliant approach.
What the guidance says about DPOs
Under the GDPR, the appointment of a Data Protection Officer (DPO) is a nuanced decision. Some organisations find it mandatory, while others may opt for a voluntary appointment or decide it’s unnecessary. The WP29 guidance, which replaced the European Data Protection Supervisor, advises organisations to document internal analyses to determine DPO necessity. The default assumption is that a DPO is needed unless proven otherwise. This commitment to GDPR compliance places specific obligations on the appointed DPO.
GDPR requirements
GDPR outlines scenarios requiring a DPO, including when an organisation is a public authority, engages in regular monitoring of individuals, or processes large-scale special data categories. The flexibility of sharing a DPO between organisations and the possibility of an existing employee taking on the role highlights the pragmatic approach of GDPR.
The Data Protection Bill
The Data Protection Bill seamlessly incorporates GDPR into UK legislation, addressing general processing and the Law Enforcement Directive. While not all businesses are obligated to appoint a DPO, adhering to best practices suggests appointing someone solely responsible for data privacy matters.
Embracing the GDPR principles of privacy by design, having a dedicated data protection champion within your business is considered essential. This strategic move aligns with the evolving legal landscape, emphasising proactive measures for privacy and data protection.
When must a Data Protection Officer be appointed?
Under the GDPR, a DPO must be appointed if the organisation is a public authority, engages in large-scale monitoring of individuals, or processes large-scale special categories of data or data related to criminal convictions.
The definition of ‘large scale’ isn’t outlined, but the guidelines say you should consider the following factors:
- The number of data subjects concerned
- The volume of personal data being processed
- The range of different data items being processed
- The geographical extent of the activity
- The duration or permanence of the processing activity
Should you decide not to appoint a DPO, GDPR requires organisations to maintain records of their processes and any data breaches. Ensuring your business has adequate staff and resources is crucial to effectively fulfil its obligations under the GDPR.
Who can and can't be a Data Protection Officer?
The GDPR stance on appointing a DPO centres on their ability, experience, and knowledge of data protection law. While the regulations don’t suggest specific credentials, they stress that these qualifications should align with the type of processing undertaken, considering the necessary level of protection of personal data. A DPO having familiarity with your industry, sector, and the intricacies of your data protection needs enhances their effectiveness.
Opting for an external DPO is a strategic move to avoid potential conflict issues. This approach proves invaluable when an internal candidate isn’t readily available within your business to undertake the role.
The WP29 guidance offers valuable insights into individuals within a firm who are ill-suited for the DPO role due to potential conflicts of interest. This includes high-ranking positions like:
- Chief Executive Officer
- Chief Operating Officer
- Chief Financial Officer
- Head of Marketing
- Head of Human Resources
- Head of IT
Lesser senior roles may also pose conflicts if they involve deciding the purpose and means of processing.
For law firms, the Compliance Officer for Legal Practices (COLP) may be a suitable DPO, depending on their other responsibilities. The GDPR ensures DPOs receive the necessary support, maintain independence, and enjoy protected employment status, shielding them from unjust actions for performing their duties.
Law firms and Data Protection Officers
According to insights from the Law Society, the consensus is that most law firms might not require the appointment of a Data Protection Officer (DPO), because they typically don’t engage in systematic monitoring of data subjects on a large scale. This viewpoint was first outlined in a March 2018 article and then recapped in August 2019 “Appoint a Data Protection Officer (DPO)”.
Exceptions arise when law firms handle special categories of data, such as health, ethnicity, political or religious beliefs, trade union membership, or the sexual orientation of their clients. In such cases, especially if processing occurs on a large scale, the consideration for a mandatory DPO appointment gains significance.
Opting for a voluntary DPO appointment can be beneficial, particularly when uncertainty exists. Seeking specialist advice is advisable for firms lacking expertise in data protection. Law firms are encouraged to keep a concise record of their decision-making process.
The decision to appoint a Data Protection Officer (DPO) is important, but regardless of your choice, promoting awareness amongst all staff about the individual handling data protection matters is crucial. This person, whether a DPO or another designated individual, should have a direct line to top-level management.
It’s important to clarify that, if appointed, a DPO isn’t directly responsible for overall compliance – that responsibility lies with the data controller or processor. Nevertheless, the DPO, along with other appointees, plays a key role in overseeing the implementation of the data protection strategy and fulfilling the organisation’s obligations.
Get in touch
At Teal, we’re here to support your journey towards compliance that works.
We understand that compliance can be a daunting word, but it’s also the key to unlocking your firm’s full potential.
Get in touch with our experts to find out how we can help with data protection compliance.