In this week's article, we look at whether your business needs a Data Protection Officer (DPO). For many small businesses a DPO will not be necessary, however if any of the following apply to your business, a DPO is mandatory under GDPR:
- Your organisation is a public authority or a public body
- The core activity of your business is the regular and systematic monitoring of data subjects on a large scale
- The core activity of your business is the processing of sensitive data on a large scale or it involves the processing of personal data relating to criminal convictions and/or offences
The above applies to data controllers and data processors. It is also recommended that private organisations who carry out public tasks on behalf of a public authority should appoint a DPO.
What is a core activity?
Core activities can be defined as the key operations that are necessary to achieve the business’s goals. An example of this is a private security company that carries out surveillance of private shopping centres and/or public spaces using CCTV. In this instance they would need to appoint a DPO as surveillance is the core activity of their business.
On the other hand, it is not mandatory to appoint a DPO where a business undertakes activities such as payroll and IT support as these are considered ancillary services rather than core activities.
What is large scale processing?
GDPR does not define what is large scale processing but businesses should consider the following in relation to their personal data processing activities:
- The number of individuals (data subjects) concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing include:
- Processing of patient data in the regular course of business by a hospital
- Processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- Processing of customer data in the regular course of business by an insurance company or a bank
- Processing of personal data for behavioural advertising by a search engine
Examples that do not constitute large-scale processing include:
- Processing of patient data by an individual doctor
- Processing of personal data relating to criminal convictions and offences by an individual lawyer
What skills and expertise should the DPO have?
GDPR states that the DPO: “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law”.
Whilst the regulation does not define the professional qualities required or detail the training a DPO would need, their level of experience and qualifications should be in line with the complexity and scale of data processing within that business.
They would also need, at a minimum, the following skills and experience:
- Expertise in national and European data protection laws and practices including an in-depth understanding of GDPR
- Understanding of the processing operations carried out within the business
- Understanding of IT and data security
- Knowledge of the business sector and the organisation as well as the ability to promote a data protection culture within the business
What is the role of the DPO?
The role of the DPO includes the following:
- Monitoring compliance in line with GDPR
- The key point of contact for the Data Protection Commissioner
- The key point of contact for data subjects
- Ensuring that data protection record keeping is maintained
- Ensuring that organisational and technical processes and procedures are in line with GDPR
- Training other staff and raising GDPR awareness
- Providing assistance in data protection impact assessments (DPIAs)
A DPO can be hired internally or externally and for some businesses they might want to outsource the DPO function, so it is shared amongst a group of businesses. If you decide that a DPO is not required, it is important that whoever looks after data protection and GDPR in your business does not have DPO stated in their job title.
Whilst a DPO can carry out other tasks and duties, it is important that there is no conflict of interest between their existing duties and the DPO role so that they can remain sufficiently independent in their role as DPO.
Finally, DPOs are not personally responsible for GDPR compliance under GDPR as data protection compliance is the responsibility of the business.
If you would like more information on GDPR or to discuss your requirements further, please contact Helen at SFA on 01 6051668 or at email@example.com or visit our GDPR section on www.sfa.ie/advice