Struggling to decide if you need a Data Protection Officer?  You’re not alone – and many organisations have made the wrong decision, putting employees under conflict and signposting they don’t ‘get’ GDPR.

So – don’t make that decision until you watch our FREE video on the 3-part test or read this sister blog post.  It’s Part 1 of our Privacy Kitchen series on DPOs, so stay tuned for more.

And stay with us to the end, because we’ll finish with a great tip that just may save you and your organisation a whole load of embarrassment, and potentially far more.

Links are at the end of the blog as always.

Right! Grab yourself a cuppa and let’s crack on!

Do I need a DPO?

One thing every organisation needs to do under GDPR is decide if it actually needs a DPO.  Now, it doesn’t matter whether you’re a controller or processor, it applies to both.  And I recommend you document your decision, particularly if the answer isn’t obvious.

We’ll run through the 3-part test in detail, but first, the summary.

If you’re public sector and not a court, you’re going to need a DPO.  If you’re private sector, you need to look at the test, but you’re unlikely to need a DPO.  Now, I know many regulators and DPOs may be shouting at their phones at this point, but consider one data point:

The Law Society of England & Wales says most law firms will not be required to appoint a DPO under GDPR.

Think about the sort of personal data law firms process, and what they do.

Let’s see why they said that.  Now, let’s go into the 3-part test!

Test One: are you a public authority or body?

If you are, you need a DPO with a narrow exception of courts acting in their judicial capacity.  Simple.

OK, let’s look at everybody else….

Now, Test Two takes a bit more time, but it lays the groundwork to easily tackle Test Three.

Test Two: as a core activity and on a large scale, do you ‘regularly and systematically monitor’ individuals?

You have to say yes to all three parts before you need a DPO under Test Two.  Now, in practice, we can easily knock on the head ‘regular systematic monitoring’.

Regular & Systematic Monitoring

This isn’t defined in GDPR, like so much else!  But there is a Recital on a different part of GDPR that says that this ‘monitoring’ includes when people are tracked on the internet, particularly in order to take decisions concerning him or her, or for analysing or predicting her or his personal preferences, behaviours and attitude.  Regulators have given many more examples of monitoring – key ones are:

• data-driven marketing,
• profiling scoring for risk assessment, for example, for credit,
• loyalty programmes, and again
• behavioural advertising.

Given these examples, it’s safe to say quite a lot of companies are doing these.

‘Regular and systematic’ is easy!

• ‘Regular’ means anything: ongoing, recurring, repeated, constant or periodic.
• And ‘systematic’ means pre-arranged, methodical, taking place according to a system, general plan or strategy.

Now plenty of organisations will be doing one of the monitoring activities, and if they are, it’s going to be as part of a general plan or strategy.

So let’s just say, for now, yes to this part and move on.  You can always come back to this and let’s look at the other two parts: ‘core activity’ and ‘large scale’.  They’re not actually that hard to understand when you look at some really helpful examples.

Core activities

So, core activities.  Again, ‘core activities’ is not defined by GDPR, but a Recital does say that core activities relate to primary activities and not processing of personal data that are ancillary activities.  EU Regulators have clarified we also need to look at activities where the processing of personal data forms an ‘inextricable part’ of a primary activity.

Now, our very own UK ICO has a great example here on the difference between core activity and ancillary activities: for most organisations, processing personal data for HR purposes will be a secondary function to their main business activities, and so will NOT be part of their core activities.

That’s really helpful. It means you can ignore that for the DPO tests.

However they go on – an HR service provider necessarily processes personal data as part of its core activities to provide HR functions to its client organisations. At the same time, it will also process HR information for its own employees, which will be ancillary.

That’s a really clear example. Regulators also add payroll and standard IT support to the list of ancillary functions.  So, that’s ancillary functions.

We’ve had a little look at core activity.  Two more examples from European Regulators.

• First, a hospital’s core activity is clearly providing healthcare, but as they can’t provide that healthcare without processing patient’s health records, it is a core activity of the hospital.
• Second, a private security company might be carrying out surveillance of a number of private shopping centres and public spaces. That surveillance is clearly the core activity of the company, and it’s inextricably linked to the processing of personal data.

So – is your regular systematic monitoring a CORE ACTIVITY of your organisation?  If yes, stay with Test Two and let’s look at what ‘large scale’ means.  If no, you don’t need a DPO under Test Two and you can move on to Test Three.

Large scale

Right, large scale – the third leg of Test Two. And again, this is not defined by GDPR so let’s look again at guidance from Regulators and from GDPR itself.  Regulators note you can’t give a precise number for large scale, either on the amount of data items processed or on the number of data subjects.

However, they’ve drawn out four factors to consider and they’ve given us a tonne of examples we’ll come to next.  So – those four factors.

1. the NUMBER of data subjects concerned either as a specific number or a proportion of the relevant population,
2. the VOLUME of data or the range of different data items being processed,
3. the DURATION or permanence of the data processing activity, and
4. the GEOGRAPHICAL EXTENT of the processing activity.

Right, onto the examples.  The first two are actually from a GDPR Recital on Data Protection Impact Assessments or DPIAs, so may not be 100 per cent applicable for DPOs, but the Regulators start here, so we will, too.

• The GDPR’s example of ‘large scale’ is processing which aims to process a ‘considerable amount’ of personal data at a regional, national or supranational level, and which could affect a ‘large number’ of data subjects. So, ‘regional’ and up, ‘large number’ of data subjects.
• And at the other end of the spectrum, the Recital specifically says it’s not large scale when an individual physician or other health care professional processes patients’ personal data, or an individual lawyer processes clients’ personal data. So … ‘regional national, or supranational’ … individual lawyer or doctor. Quite a lot of space in between!

We luckily have fantastic examples from the EU Regulators.  This includes:

• that hospital example,
• processing travel data of individuals using a city’s public transport system for example, tracking travel cards,
• processing real-time geo-location data of customers of an international fast food chain for statistical purposes, but by a processor specialising in providing those services,
• processing customer data in the usual course of business for an insurance company or a bank,
• processing personal data for behavioural advertising by a search engine,
• a Telco or an ISP processing, content, traffic or location data, and
• don’t forget our old friend the private security company!  Carrying out surveillance on a number of private shopping centres or public areas.

The UK ICO gives two more examples.

• One: a large retail website uses algorithms to monitor the searches and the purchases of its users and, based on this information, offers recommendations to them.
• And secondly: a health insurance company processes a wide range of personal data about a large number of subjects.

So, that’s large scale and with GDPR, it’s often easy to forget where you started. So here’s Test Two again: do you, as a core activity, and at large scale, regularly and systematically monitor individuals?

Here are two more examples bringing it all together.

• A small family business active in the distribution of household appliances in a single town, uses the services of a processor, whose core activity is to provide website analytic services and assistance with targeted advertising and marketing.  Now, the activities of the small family business and its customers is not going to generate processing at a large scale.  So the manufacturer does not need a DPO.  The processor may well do.
• Next, a medium-sized tile manufacturing company sub-contracts its occupational health services to an external processor, which has a large number of similar clients.  Again, the manufacturer probably doesn’t need a DPO, but the processor probably does, if processing is on a large scale.

OK, let’s move on to Test Three, which is now going to be super simple!

Test Three: as a core activity, on a large scale, do you process either special categories of personal data or personal data relating to criminal convictions or offences?

Again, it’s a 3-parter.  We’ve already looked at ‘core activities’ and ‘large scale’.  The crime part is pretty straightforward.  ‘Special categories of personal data’ is defined by GDPR as personal data revealing:

• racial or ethnic origin,
• political opinions, religious or philosophical beliefs or trade union membership,
• the processing of genetic data,
• biometric data for the purpose of uniquely identifying a natural person,
• data concerning health and
• data concerning a person’s sex life or sexual orientation.

Now, you’ll probably process health data for your employees as part of carrying out your own HR purposes.  But we’ve seen that that’s not a core activity typically, it’s ancillary, so we can ignore that for the DPO test.

So – do you process any other special categories of personal data or crime data for yourself – or for another person?

Have a think for a moment …

Now, if you do, does that processing qualify as a core activity on its own or because it’s an inextricable part of a core activity?  And if so, is it large scale?  If you’ve answered yes to all of that, then you need a DPO under Test Three.  If you’ve answered no to either one of them, you don’t need a DPO under Test Three.

Bonus Tip

Now, the Bonus Tip!  Regulators and DPOs maybe won’t like me saying this, but the practical advice has to be DEFINITELY have an internal privacy champion, send them on training, give them support, call them the Privacy Manager, the Privacy Officer, the Chief Privacy Officer.  But don’t name someone a DPO if you don’t need one unless you feel the marketing benefits outweigh the issues of having one, because even if you name someone DPO voluntarily, all the rights and obligations under GDPR apply to that role, the person and the organisation.

And if you really need one or you just decide you really want one, do consider an external DPO.  They’re decently priced services.  The right choice will bring a load of expertise and advice to the table. It will stop having somebody in a conflicted position in your organisation, and it could well save you a lot of time.

So there you go! In the time it took to have a coffee, we’ve gone over ‘Do I need a DPO?’.  Please do look at our other videos such as Who can be your DPO?, What does a DP do? and 10 Steps to GDPR Compliance.

And please do use #PRIVACYKITCHEN to let us know the topics and questions you want us to cover.

Stay well in the meantime and see you soon in Privacy Kitchen!

Links

The GDPR itself!

The UK ICO’s excellent guide to DPOs

Art 29 WP, WP 243 rev.01, Guidelines on Data Protection Officers (‘DPOs’)

The Law Society of England & Wales on DPOs and Law Firms