A ‘DPO’, or Data Protection Officer is the person in a business who has been appointed to deal with all data privacy related matters. Under the current Data Protection Act there are no mandatory requirements to appoint a DPO, although some businesses that process a high volume of data may have someone in that role already.
There has been a lot of confusion over the last few months about whether the implementation of GDPR [1] (on 25th May 2018) or the introduction of the Data Protection Bill 2017 means that businesses do now have to appoint a DPO. The answer to that question is, no, not all businesses need to appoint a DPO BUT that doesn’t necessarily mean that it’s not in your business’ best interest to have someone who is solely responsible for data privacy matters.
GDPR
The GDPR requirements are set out in Article 37: –
“The controller and the processor shall designate a data protection officer in any case where:
-
The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
-
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
-
The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”
GDPR also points out that it is ‘entirely reasonable’ to share a DPO with other organisations. The role could also be performed by a current employee alongside their existing duties.
The Data Protection Bill
The Data Protection Bill [2] will introduce GDPR into UK legislation, only necessary because of Brexit (GDPR is a Regulation so applies to all member states without the need for domestic legislation). The Bill will cover GDPR which applies to ‘general processing’, but also the Law Enforcement Directive [3] which must be transposed into domestic law by 6th May 2018. Finally, the Bill also covers processing for National Security, currently not covered by either GDPR or the Law Enforcement Directive.
Under the Bill, the GDPR requirements around DPOs will stand and the only addition is in Part 4, chapter 3 which relates to law enforcement processing:
“-s69(1) The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.”[4]
Best Practice
Whilst you may not be under a mandatory requirement to appoint a DPO, it is considered best practice to appoint someone to be responsible for data privacy matters. With GDPR, the Data Protection Bill and then proposed changes in respect of E-Privacy, the importance data privacy and protection is not going to diminish any time soon. After all, it’s not a case of simply ticking a box that says you are compliant with the legislation. The concept of privacy by design is now a requirement of GDPR, and teamed with the requirements to demonstrate ongoing accountability, it’s important to have a data protection ‘champion’ within your business to ensure that privacy, data protection and data subjects rights remain in the forefront of everyone’s minds.
Get in touch
For more information about data protection compliance, simply get in touch with one of our experts today.
[1] General Data Protection Regulation (GDPR) Regulation (EU) 2016/679)
[2] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf
[3] DIRECTIVE (EU) 2016/680
[4] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf, Part 4, Chapter 3, Section 69(1)
