Data Protection Officer – what, why, how.
Reasons to read…
- Does your law firm have a Data Protection Officer (DPO)?
- This article may still apply to you if your company/firm handles personal data
- Do you work for a law firm?
- Does your DPO know their exact role and are they registered?
- Should you have a DPO?
What is a data protection officer?
So far all you will have got from this blog is a confusing questionnaire, all of which is irrelevant if you don’t know what a DPO is in the first place! ‘DPO’ is an abbreviation for ‘Data Protection Officer’. A DPO is an expertise role which requires an individual to ensure a firm is compliant with GDPR. Data protection officers are also designated individuals who must notify the ICO within 72 hours of a data breach. DPO’s or a similar method is crucial for a company to be compliant with GDPR, but not all firms require one. Later on, you will find out exactly whether your firm needs a DPO or not.
Why have DPO’s began to be introduced?
The introduction of DPO’s have been introduced as a result of law firms failing to report breaches to the ICO immediately. The idea is that if a law firm has a specific DPO, then in any case of a breach, this breach can be reported indefinitely to the ICO without hesitation. If a law firm has a designated DPO, then this also allows law firms to document their decision made and also to go back and review that decision, especially before any substantial change in processing activity or when carrying out a data protection impact assessment (DPIA). However, not all law firms are required to have a DPO, however if this is the case, then your law firm will have to provide a reason for that and consider other governance arrangements you will put in place to ensure compliance with GDPR.
So, now you know what DPO stands for, what a DPO is and why, under GDPR, the introduction of them has become crucial. Now you should know what the roles of a DPO is. Keep reading to find out more…
What are the roles of a DPO?
In the last blog you learnt what a DPO is and why they are being required under GDPR. Now, read on to find out the specific roles of a DPO, which have been extracted directly from the General Data Protection Regulation manual.
The roles of a DPO are outlined in Article 39 of the GDPR manual. The roles of a DPO are as follows. A DPO must inform and advise the controller, processor and employees who carry out any processing of personal data. DPO’s must ensure that these people are aware that they are obliged to GDPR and to other unions or member state data protection provisions.
It is also a DPO’s job to monitor a company’s compliance with GDPR. This is especially important with regards to how a company is handling the process of personal data and making sure they are fully compliant with GDPR in the way they are processing personal data. They are in control of handling a staff assignment of responsibilities, awareness-raising and all training of staff involved in processing operations. The DPO must also be prepared to give advice and information on these things when requested to do so by the data protection impact assessment and monitor its performance pursuant to Article 35 (Data protection impact assessment and prior consultation).
A DPO is also required to cooperate with the supervisory authority. They should act as a contact point for the supervisory authority on issues related to processing, including prior consultation and consult regarding any other matter. Data Protection Officers shall also perform his or her tasks, have due regard to the risks associated with processing operations considering nature, scope, context and the purpose of processing.
So, I bet you’re wondering, “How does all of this apply to me?” well, keep reading to find out whether a DPO is a necessary addition to your firm and why you may need to think about hiring one.
Who needs to appoint a DPO – guidelines from the GDPR manual.
This may not apply to all law firms but it would be worthwhile reading and understanding who does and who does not require a DPO in their law firm to make sure you stay compliant with the General Data Protection Regulation. If circumstances change in your firm, then a DPO may be required, therefore it is important for you as a firm to recognise the circumstances which require the appointment of a DPO.
Article 37 (1) of GDPR sets out specific guidelines which you must follow to see whether the appointment of a DPO would be necessary in your firm. If core activities of the controller or the processor consist of processing operations which also require regular and systematic monitoring of data subjects on a large scale, then a DPO will be required to monitor and safeguard this processing. If the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 (Processing of special categories of personal data) and personal data relating to criminal convictions and offences referred to in article 10 (Processing of personal data relating to criminal convictions and offences).
A group of firms or company’s may want to appoint a single DPO to cover all of their compliance. This is compliant with GDPR as long as the DPO is easily accessible from each establishment. The size and organisational structure of the firm must also be taken into account when considering if the firm can have a shared DPO with several other establishments.
The controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State Law shall, designate a data protection officer. The DPO may act for such associations and other bodies representing controllers or processors.
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. The DPO may also be a staff member of the controller or processor, they may also fulfil the tasks on the basis of a service contract.
Under GDPR, the DPO must also be registered to the ICO. The contact details of the Data Protection Officer must be published and these details must be shared with the supervisory authority.
Find out the responsibilities of the controller or processor with regards to their DPO and what they should do to support a DPO in their firm…
What can your firm do to support your DPO?
According to the General Data Protection Regulation manual, the controller and/or processor for information have the responsibility to protect the DPO and make sure that they are not subject to conflicting interests within their roles in the firm.
GDPR says that the position of a DPO involves the controller and the processor making sure that the DPO is involved (properly and in a timely manner) in all issues which relate to the protection of personal data. This means that any issues, concerns or changes in the way data is being processed in a firm must be reported to the DPO without hesitation or delay as the DPO has the final say on how the firm should deal with that particular situation.
The controller or processor should also support their DPO in performing tasks of Article 39 by providing recourses to carry out the tasks to access personal data. A way in which they can do this can be to maintain their DPO’s expert knowledge by providing the correct material and recourses to do this. Controller and processors should also ensure that DPO’s do not receive any instructions or limitations surrounding the exercise of tasks involving personal data. The DPO can neither be penalised or dismissed by the controller or processor and if complications do arise, the DPO must report the issue to the highest management level of controller or processors in their firm.
All data subjects have the right to contact the DPO for all issues concerning the safety and processing of their personal data. As a result of this, DPO’s are bound by secrecy to the tasks in which they perform in accordance with the Union or Member State Law. There are also other duties which a DPO may need to fulfil within their job role, it is the controller or processors job to make sure that these ‘other tasks’ do not result in a conflict of interests for the DPO.
Now, for those of you who may have skipped part 3 as your firm does not require a DPO due to the type of personal data it handles or the size of the firm, read part 5 below, where an alternative method for a DPO has been created, meaning you are still compliant with GDPR without hiring a DPO specifically.
This blog will be helpful to those who found part 3 of this blog unnecessary to their firm as they do not require a DPO. Although, part 3 could help you grasp an understanding of what it takes to require a DPO, this section is more helpful to you. If you do not make a mandatory or voluntary appointment of a DPO you should consider nominating a suitably senior and qualified person with the necessary resources to lead on data protection compliance. This person should not be described as a ‘DPO’; a suitable alternative title (or part of a title) might be ‘Privacy Officer’ or “Data Protection Compliance Programme Manager”, etc.
What constitutes a suitably senior and qualified person with the necessary resources will vary between practices. One reason larger practices may choose not to make a voluntary appointment of a DPO is because the position and tasks of the DPO under the GDPR are misaligned with their current governance and accountability arrangements for risk management across the firm. In these circumstances, the balance of resources and responsibilities across the risk management function will need to be considered and the demands of the GDPR mean that they are unlikely to remain unchanged from your current arrangements. Sole practitioners and smaller practices may continue to allocate responsibility for data protection to a partner but consideration will need to be given to obtaining external expert advice – for example, in your initial preparations for GDPR, on the occasion of a significant changes in processes, procedures or technology (including when it is necessary to carry out a data protection impact assessment), or in order to ensure that you have appropriate technical and organisational measures in place to secure data or to respond to data breaches (including mandatory data breach notifications).