A Beginner’s Guide to the Data Protection

Officer (DPO)

Green Paper

Protect Comply Thrive

IT GOVERNANCE | GREEN PAPER

IT GOVERNANCE GREEN PAPER | MARCH 2019

The EU’s General Data Protection Regulation (GDPR) applies to all organisations that process or control the processing of EU residents’ personal data – which is any information that can be used to identify them or linked to them.

Among other obligations, the Regulation requires data processors and controllers to implement “appropriate technical and organisational measures” to ensure the security of personal data. Some organisations must appoint a data protection officer (DPO); others might choose to appoint one as part of the technical and organisational measures.

DPOs are independent data protection experts who are responsible for advising organisations on their legal and regulatory data protection obligations – including compliance with the GDPR.

Articles 37–39 of the GDPR set out its requirements relating to DPOs: when one must be appointed (Article 37), the nature of their position in the organisation (Article 38) and the tasks they must carry out (Article 39).

Infringements of these articles leave organisations open to the GDPR’s lower level of administrative fines: up to 2% of their annual global turnover or €10 million – whichever is greater – so it is obviously important to meet the DPO obligations correctly.

This guide explains when organisations are required to appoint a DPO (and why they should consider appointing one even if not obliged to), what a DPO does, the experience and qualifications they need, how much you should expect to offer when recruiting a DPO, and the benefits of outsourcing the role.

2

Introduction

GDPR definitions

• Processing is any operation or set of operations that is performed on personal data, whether by automated means or not.

• Personal data is any information relating to an identified or identifiable natural person (known as a data subject).

• An identifiable natural person or data subject is someone who can be identified, directly or indirectly, in particular by reference to an identifier.

• A data controller is the natural or legal person, public authority, agency or any other body that determines the purposes and means of the processing.

• A data processor is the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.

IT GOVERNANCE GREEN PAPER | MARCH 2019 3

Data protection law in the UK

With Brexit continuing to cause uncertainty, it’s worth clarifying which data protection laws will apply in the UK after exit day.

The GDPR entered into force on 24 May 2016, before the UK’s referendum on EU membership. Following a two-year transition period, the Regulation took effect on 25 May 2018, superseding the EU’s Data Protection Directive 1995 and all Member State law that implemented it – including the UK’s Data Protection Act (DPA) 1998.

Although it applies directly in Member States with all the force of a domestic law, the GDPR leaves certain areas to individual Member States to interpret and implement. In the UK, the GDPR is therefore supplemented by a new Data Protection Act: the DPA 2018.

As well as supplementing the GDPR, the DPA 2018 applies a broadly equivalent regime of data protection (‘the applied GDPR’) to certain areas that fall outside the GDPR’s scope, including processing by public authorities, and sets out personal data processing regimes for law enforcement and intelligence purposes.

The government intends that, on the UK’s withdrawal from the EU, the proposed Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – a statutory instrument under the European Union (Withdrawal) Act 2018 – will amend the DPA 2018 to replace references to EU laws, institutions, currency and the like with British equivalents, and combine the applied GDPR with the provisions of the EU GDPR to form a data protection regime that works in a UK context: the UK GDPR.

The UK GDPR will ensure the UK continues to enforce international data protection requirements after leaving the EU and should help facilitate cross-border data flows.

The UK GDPR will not amend the EU GDPR’s requirements for DPOs.

Although a DPO is only strictly necessary if the organisation performs certain processing activities, the role of the DPO is not limited to those activities. Instead, they will have tasks that relate to all of the data processing activities that the organisation carries out.

Article 39 of the GDPR states that the DPO’s tasks should include:

• Informing and advising the organisation, and the employees who carry out processing, of their obligations under the GDPR and other Union or Member State data protection provisions;

• Monitoring compliance with the GDPR, other Union or Member State data protection provisions, and the organisation’s policies relating to data protection, including how the organisation assigns responsibilities, raises awareness and trains staff involved in processing operations, and related audits;

• Providing advice, where requested, about data protection impact assessments (DPIAs) and monitoring their performance;

• Cooperating with the supervisory authority, for instance in the event of a data breach investigation; and

• Acting as the contact point for the supervisory authority (the Information Commissioner’s Office (ICO) in the UK) on issues relating to processing and consulting, where appropriate, with regard to any other matter.

When performing these tasks, the DPO must “have due regard to the risk associated with processing operations”.

DPIAs are a type of risk assessment specific to data protection. The GDPR requires them to be carried out where a type of processing is likely to result in a high risk to data subjects’ rights and freedoms.

Note that the DPO’s function is to monitor, and inform and advise about compliance – it is the controller that is ultimately responsible for compliance.

What does a DPO do?

IT GOVERNANCE GREEN PAPER | MARCH 2019

Article 37 of the GDPR states that data controllers and processors must designate a DPO if:

• They are a public authority or body, except for courts acting in their judicial capacity;

• Their core activities require regular and systematic monitoring of data subjects on a large scale; or

• Their core activities involve large-scale processing of sensitive personal data or data relating to criminal convictions or offences.

For the purposes of the GDPR, the definitions of ‘public authority’ and ‘public body’ in Section 7 of the DPA 2018 apply.

‘Core activities’ refer to the organisation’s primary activities rather than, for instance, processing data for HR purposes, which is a secondary function for most organisations.

The GDPR does not define ‘regular and systematic monitoring’, but Recital 24 takes ‘monitoring’ to include all forms of tracking and profiling, both online and offline.

The concept of large-scale monitoring is more difficult to quantify and in some instances it might not be immediately obvious whether or not a DPO must be appointed. The WP29 (Article 29 Working Party) guidelines on DPOs state that when determining whether processing is on a large scale, organisations should take account of:

• The number of data subjects concerned;• The volume and/or range of data being processed;• The duration or permanence of the processing; and• The geographical extent of the processing.

(The WP29 has since been replaced by the EDPB (European Data Protection Board), which has endorsed these guidelines.)

As explained above, the GDPR leaves certain areas to Member States to interpret and implement. Although the UK DPA 2018 does not extend the GDPR’s requirements for DPOs, several other countries’ laws do. It is therefore important to read the GDPR in conjunction with the relevant domestic law(s).

Some countries have introduced minor changes to the role as set out in the GDPR. For example:

Austria, Denmark and the Netherlands expand on the GDPR’s requirement for DPOs to maintain secrecy in the fulfilment of their tasks.

In Romania, Law no. 190/2018 requires that a DPO be designated by any data controller that processes national identification numbers when the processing is necessary for the purposes of their legitimate interests.

Others have opted to gold-plate the GDPR by imposing more stringent obligations on data controllers and processors. For example:

• The German BDSG (Bundesdatenschutzgesetz) mandates that private bodies that “constantly employ as a rule at least ten persons dealing with the automated processing of personal data” appoint a DPO, and organisations that “undertake processing subject to a data protection impact assessment”, or that “commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research” must appoint a DPO “regardless of the number of persons employed in processing”.

• Spain’s Ley Orgánica de Protección de Datos y de Garantía de Derechos Digitales requires numerous types of organisation to appoint a DPO, including professional associations, educational institutions, financial credit institutions, insurance and reinsurance companies, electricity and natural gas distributors and marketers, gaming operators, and private security companies.

4

Who must appoint a DPO? DPO obligations in other countries

IT GOVERNANCE GREEN PAPER | MARCH 2019 5

Voluntarily appointing a DPO How does the DPO fit into the organisation?

Organisations that are not obliged to designate a DPO should still consider appointing one to oversee their GDPR compliance activities. In fact, the WP29 guidelines recommend that all organisations appoint one as a matter of good practice.

A DPO is particularly useful in the case of a data breach as their appointed tasks include cooperating with and acting as the contact point for the supervisory authority, which includes notifying them in the event of a breach.

Failure to meet the data breach reporting requirements leave organisations facing the GDPR’s lower level of administrative fines: up to €10 million or 2% of annual global turnover – whichever is greater.

(Infringements of other GDPR articles can lead to administrative fines of up to €20 million or 4% of annual global turnover – whichever is greater.)

With only 72 hours in which to notify the supervisory authority, a dedicated DPO will suddenly seem like an exceptionally smart investment – especially as you’ll also spend those crucial early days closing any security gaps to stop more information being compromised, establishing the cause of the incident, exactly when it happened and what data was compromised, and communicating with affected data subjects as necessary.

However, it’s important to note that a DPO has the same legal status whether the appointment is voluntary or mandatory, and organisations will be liable for the same penalties if the DPO role is not fulfilled correctly. They might therefore find it sensible to employ someone in a comparable role to oversee data protection but with the freedom to be more involved in the practicalities.

Article 38 explains the DPO’s position:

• The controller and processor must ensure the DPO is involved “properly and in a timely manner” in all issues relating to the protection of personal data, and support them in performing their tasks by providing necessary resources and access to personal data and processing operations, and by maintaining their expert knowledge.

• The DPO must not receive instructions and cannot be dismissed or penalised for performing their tasks.

• The DPO must report to the highest management level of the controller or processor.

• Data subjects may contact the DPO with regard to personal data processing issues and the exercise of their rights under the GDPR.

• DPOs shall be bound to secrecy or confidentiality concerning the performance of their tasks.

• DPOs may fulfil other tasks and duties, but there must not be a conflict of interest.

Organisations must publish the DPO’s contact details and inform the supervisory authority.

They must also provide the DPO’s contact details to data subjects, where applicable, when personal data is collected – whether directly from the data subject or from a third party (Articles 13 and 14).

The name and contact details of the DPO should be recorded (Article 30), and should be communicated to the supervisory authority in the event of a data breach notification (Article 33).

IT GOVERNANCE GREEN PAPER | MARCH 2019

Although the GDPR does not specify the credentials or expertise that DPOs should have, Article 37 states that they should be appointed “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”.

Recital 97 clarifies that “The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”.

According to the WP29 guidelines, the DPO’s level of expertise “must be commensurate with the sensitivity, complexity and amount of data an organisation processes”.

The GDPR does not define ‘regular and systematic monitoring’, but Recital 24 takes ‘monitoring’ to include all forms of tracking and profiling, both online and offline.

In other words, organisations that undertake complex personal data processing activities, or that process large amounts of sensitive data, will require a DPO with more expertise than a smaller organisation whose processing activities are more limited.

Article 37(5) does not specify the professional qualities that a DPO should have, but the WP29’s guidance states that they ought to “have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR”.

Expertise specific to the organisation itself – especially its other legal or regulatory obligations – is also essential, as is knowledge of its specific data protection needs and processing activities.

Salary expectations

Although the DPO role is not new, the GDPR has popularised it to such an extent

that the demand for suitably experienced and qualified personnel now far outstrips supply, so DPO positions tend to pay very attractive salaries.

According to itjobswatch.co.uk, the median annual salary for a DPO in the UK (excluding London) in the 6 months to February 2019 was £60,000, which represents a 26.32% year-on-year increase.

Many organisations find it challenging to meet their DPO obligations, given the knowledge of data processing and data security operations, and the familiarity with the legal aspects of the GDPR that are required.

Fortunately, the Regulation allows organisations to outsource the DPO role to an external provider so that they can comply with their legal obligations without losing focus on their core business activities.

This is particularly helpful for small and medium-sized organisations that have tighter budgets than their larger counterparts, do not have the necessary internal expertise to appoint an existing staff member or cannot appoint an internal DPO without creating a conflict of interests.

IT Governance’s sister company GRCI Law’s DPOaaS (DPO as a service) gives you access to a team of in-house legal experts, who will serve as your organisation’s independent DPO, in compliance with the GDPR.

Get dedicated support from a qualified DPO team:

• A practical and cost-effective alternative to remaining GDPR compliant.• Access to independent DPO expertise not available internally.• No conflict of interest between the DPO and other business activities.• Application of best practice in achieving and maintaining compliance with the GDPR.• Cost effective compared to an internal appointment.• Access to a broad range of GDPR training and compliance solutions.

6

What experience and qualifications does a DPO need?

Find out more about our DPOaaS packages

How GRCI Law can help

IT GOVERNANCE GREEN PAPER | MARCH 2019 7

Why GRCI Law?

GRCI Law are qualified lawyers, and cyber security, information security and data protection practitioners with many years’ experience as DPOs, as well as legal, risk and compliance expertise.

Part of GRC International Group, GRCI Law is a wholly independent company with its own management structure and staff. This is important because it means it can provide services entirely independently of the other GRCI group companies, ensuring it avoids any potential conflicts of interest.

The benefit of GRCI Law’s affiliation with IT Governance is that any remediation work it recommends can be carried out by IT Governance’s consultants, and GRCI Law is able to review and audit that work to provide independent assurance that the client’s risk management, governance and internal control processes are operating effectively. And because GRCI Law is not constricted by the traditional structures of law firms, it can help you faster than traditional law firms and at a better price.

Case studiesHere are some examples of how GRCI Law has helped clients who needed a DPO.

Scenario 1 A client reported that a job applicant (the data subject) had provided their medical history, including information relating to a gender reassignment, as part of their application. They subsequently became a member of staff. Some months later, it transpired that an employee (‘the informant’) had disclosed this sensitive information to two non-HR staff members, who informed their employer. The informant was dismissed on notice and the incident was reported to the DPO. The data subject left the client’s employment.

The DPO notified the ICO, which took no action in light of the steps the client had taken to mitigate the breach, the dismissal of the informant and its staff awareness/training measures.

Scenario 2An organisation in the higher education sector requested support developing policies and procedures for processing the personal information of applicants with criminal convictions.

The first draft provided to the DPO for review was not completely in line with theGDPR and Data Protection Act 2018, as it showed the organisation systematicallyand indiscriminately requested that prospective students declare whether they hadany spent and/or unspent criminal convictions or offences.

In order to process data relating to criminal convictions, organisations need a lawfulbasis under Article 6 of the GDPR as well as a justification in line with Article 10.Moreover, it might not be necessary to process such information at all, dependingon the course the student(s) will be enrolled in. Policies and procedures, andquestionnaires for prospective students to fill in, should be aligned with the currentlegislation.

The ICO’s guidance suggests the justification threshold around asking forinformation about criminal convictions is very high, therefore any request fordisclosure must be necessary, proportionate, and timely.

If organisations consider it necessary to collect information relating to criminalconvictions as part of the admissions process, they should undertake the following:

Organisations need to comply with the applicable standards on data protectionand privacy, and take account of ICO guidance to avoid complaints from the data subjects as well as fines from the ICO.

Scenario 3Clients request information about GDPR and PECR compliance and how it applies to their marketing strategies because the overlap between the two laws causes confusion and one of the 2018 amendments to the PECR introduced director liability.

GRCI Law worked with them to put process maps in place to ensure staff are aware of the important steps that need to be taken for PECR- and GDPR-compliant marketing communication, including when using purchased contact lists, using social media platforms for direct marketing, and maintaining their opt-in and opt-out processes.

Document the lawful basis for processing.Document the data conditions so they can demonstrate compliance and accountability.Inform data subjects of their grounds for processing this data to meet their transparency requirements.

IT GOVERNANCE GREEN PAPER | MARCH 2019 8

DPOaaS

With GRCI Law’s DPO as a service, you can outsource your DPO requirements to experts.

They’ll complete the necessary tasks and provide you with guidance whenever you need it, helping you to comply with your GDPR obligations without losing focus on your core business activities.

Contact us

For more information about how GRCI Law’s services and can help you, visit www.grcilaw.com, call +44 (0)333 900 5555 or email grcilaw@grcilaw.com.

Find out more about DPOaaS

t: +44 (0)333 800 7000 e: servicecentre@itgovernance.co.uk w: www.itgovernance.co.uk

Unit 3, Clive Court, Bartholomew’s Walk Cambridgeshire Business Park, Ely Cambs., CB7 4EA, United Kingdom

t: +44 (0)333 800 7000 e: servicecentre@itgovernance.eu

w: www.itgovernance.eu

/ITGovernanceEU

/@ITGovernanceEU

/it-governance-europe-ltd

t: +1 877 317 3454 e: servicecenter@itgovernanceusa.com

w: www.itgovernanceusa.com

t: +00 800 48 484 484 e: servicecentre@itgovernance.asia

w: www.itgovernance.asia

/ITGovernanceLtd

@ITGovernance

/it-governance

t: +00 800 48 484 484 e: servicecentre@itgovernancegulf.com

w: www.itgovernancegulf.com

/ITGovernanceGulf

@ITG_gulf

/it-governance-gulf

Europe AsiaGulfUSA

United Kingdom

© 2003-2019 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification

/ITGovernanceLtd @ITGovernance /it-governance

@ITG_USA

/it-governance-usa-ins

/ITGovernanceUSA