Struggling to decide if you need a Data Protection Officer? You’re not alone – and many organisations have made the wrong decision, putting employees under conflict and signposting they don’t ‘get’ GDPR.
And stay with us to the end, because we’ll finish with a great tip that just may save you and your organisation a whole load of embarrassment, and potentially far more.
Links are at the end of the blog as always.
Right! Grab yourself a cuppa and let’s crack on!
One thing every organisation needs to do under GDPR is decide if it actually needs a DPO. Now, it doesn’t matter whether you’re a controller or processor, it applies to both. And I recommend you document your decision, particularly if the answer isn’t obvious.
We’ll run through the 3-part test in detail, but first, the summary.
If you’re public sector and not a court, you’re going to need a DPO. If you’re private sector, you need to look at the test, but you’re unlikely to need a DPO. Now, I know many regulators and DPOs may be shouting at their phones at this point, but consider one data point:
The Law Society of England & Wales says most law firms will not be required to appoint a DPO under GDPR.
Think about the sort of personal data law firms process, and what they do.
Let’s see why they said that. Now, let’s go into the 3-part test!
If you are, you need a DPO with a narrow exception of courts acting in their judicial capacity. Simple.
OK, let’s look at everybody else….
Now, Test Two takes a bit more time, but it lays the groundwork to easily tackle Test Three.
You have to say yes to all three parts before you need a DPO under Test Two. Now, in practice, we can easily knock on the head ‘regular systematic monitoring’.
This isn’t defined in GDPR, like so much else! But there is a Recital on a different part of GDPR that says that this ‘monitoring’ includes when people are tracked on the internet, particularly in order to take decisions concerning him or her, or for analysing or predicting her or his personal preferences, behaviours and attitude. Regulators have given many more examples of monitoring – key ones are:
Given these examples, it’s safe to say quite a lot of companies are doing these.
‘Regular and systematic’ is easy!
Now plenty of organisations will be doing one of the monitoring activities, and if they are, it’s going to be as part of a general plan or strategy.
So let’s just say, for now, yes to this part and move on. You can always come back to this and let’s look at the other two parts: ‘core activity’ and ‘large scale’. They’re not actually that hard to understand when you look at some really helpful examples.
So, core activities. Again, ‘core activities’ is not defined by GDPR, but a Recital does say that core activities relate to primary activities and not processing of personal data that are ancillary activities. EU Regulators have clarified we also need to look at activities where the processing of personal data forms an ‘inextricable part’ of a primary activity.
Now, our very own UK ICO has a great example here on the difference between core activity and ancillary activities: for most organisations, processing personal data for HR purposes will be a secondary function to their main business activities, and so will NOT be part of their core activities.
That’s really helpful. It means you can ignore that for the DPO tests.
However they go on – an HR service provider necessarily processes personal data as part of its core activities to provide HR functions to its client organisations. At the same time, it will also process HR information for its own employees, which will be ancillary.
That’s a really clear example. Regulators also add payroll and standard IT support to the list of ancillary functions. So, that’s ancillary functions.
We’ve had a little look at core activity. Two more examples from European Regulators.
So – is your regular systematic monitoring a CORE ACTIVITY of your organisation? If yes, stay with Test Two and let’s look at what ‘large scale’ means. If no, you don’t need a DPO under Test Two and you can move on to Test Three.
Right, large scale – the third leg of Test Two. And again, this is not defined by GDPR so let’s look again at guidance from Regulators and from GDPR itself. Regulators note you can’t give a precise number for large scale, either on the amount of data items processed or on the number of data subjects.
However, they’ve drawn out four factors to consider and they’ve given us a tonne of examples we’ll come to next. So – those four factors.
Right, onto the examples. The first two are actually from a GDPR Recital on Data Protection Impact Assessments or DPIAs, so may not be 100 per cent applicable for DPOs, but the Regulators start here, so we will, too.
We luckily have fantastic examples from the EU Regulators. This includes:
The UK ICO gives two more examples.
So, that’s large scale and with GDPR, it’s often easy to forget where you started. So here’s Test Two again: do you, as a core activity, and at large scale, regularly and systematically monitor individuals?
Here are two more examples bringing it all together.
OK, let’s move on to Test Three, which is now going to be super simple!
Again, it’s a 3-parter. We’ve already looked at ‘core activities’ and ‘large scale’. The crime part is pretty straightforward. ‘Special categories of personal data’ is defined by GDPR as personal data revealing:
Now, you’ll probably process health data for your employees as part of carrying out your own HR purposes. But we’ve seen that that’s not a core activity typically, it’s ancillary, so we can ignore that for the DPO test.
So – do you process any other special categories of personal data or crime data for yourself – or for another person?
Have a think for a moment …
Now, if you do, does that processing qualify as a core activity on its own or because it’s an inextricable part of a core activity? And if so, is it large scale? If you’ve answered yes to all of that, then you need a DPO under Test Three. If you’ve answered no to either one of them, you don’t need a DPO under Test Three.
Now, the Bonus Tip! Regulators and DPOs maybe won’t like me saying this, but the practical advice has to be DEFINITELY have an internal privacy champion, send them on training, give them support, call them the Privacy Manager, the Privacy Officer, the Chief Privacy Officer. But don’t name someone a DPO if you don’t need one unless you feel the marketing benefits outweigh the issues of having one, because even if you name someone DPO voluntarily, all the rights and obligations under GDPR apply to that role, the person and the organisation.
And if you really need one or you just decide you really want one, do consider an external DPO. They’re decently priced services. The right choice will bring a load of expertise and advice to the table. It will stop having somebody in a conflicted position in your organisation, and it could well save you a lot of time.
So there you go! In the time it took to have a coffee, we’ve gone over ‘Do I need a DPO?’. Please do look at our other videos such as Who can be your DPO?, What does a DP do? and 10 Steps to GDPR Compliance.
And please do use #PRIVACYKITCHEN to let us know the topics and questions you want us to cover.
Stay well in the meantime and see you soon in Privacy Kitchen!