Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (a.k.a. the General Data Protection Regulation or GDPR) will, as most business people are probably aware of by now, come into force across the EU on 25 May 2018.
This will be the case in the UK (notwithstanding Brexit) and every other member state, since EU regulations have direct applicability. In other words, they do not need an act of parliament in the member state to make them into law. By contrast, EU directives are not directly applicable. When passed they still need legislation to be passed before they become part of national law. The current regime of the 1995 Data Protection Directive, and the UK’s Data Protection Act of 1998, both of which are due to be replaced next year, are good examples of this.
To complete the picture, from a UK regulatory perspective, in terms of what is changing, the government has introduced a Data Protection Bill which is currently passing through parliament. The Bill does not replace GDPR in the UK. Instead it seeks to make the UK’s own data protection laws “fit for purpose” in a digital age, replacing 1998 Act and, amongst other things, implementing the “GDPR standards across all general data processing”.
Data Protection Officer – Volunteers Step Forward
The concept of a Data Protection Officer (DPO) is not new in a number of countries, such as Germany and Korea, and in the United States in the context of health care data, where HIPAA applies. However, under Article 37(1) of GDPR the appointment of a DPO will soon be mandatory in the EU where:
- the relevant data processing activity is carried out by a public authority or body;
- the core activities of the relevant business involve regular and systematic monitoring of individuals, on a large scale;
- the core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale; or
- national law so requires.
This is explained in more detail in Guidance published by the Article 29 Working Party.
Businesses may voluntarily appoint a DPO even though there is not legal requirement to do so; however appointing a DPO voluntarily means that the businesses must still comply with the full range of DPO-related compliance obligations even though there was no legal requirement to do so.
What Does Being a DPO Entail?
Under Article 39(1), the main tasks and activities to be performed by the DPO are:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations under GDPR and other applicable EU laws and regulations;
- to monitor compliance with GDPR, etc., and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority; and
- to act as the contact point for the supervisory authority on issues relating to processing etc.
In performing his or her tasks, a DPO must “have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing” (see Article 39(2)).
You’ll Do – Selecting the Right Candidate
The Guidance suggests that DPOs should have appropriate professional qualities and expert knowledge of data protection law, although there is recognition that the required level of expertise will vary depending on the business. Complex or high risk data processing activities will require the DPO to have greater expertise. Fortunately, although a business can only appoint one DPO, the Guidance does confirm that this person can be supported by a team.
The Guidance provides that the DPO should, ideally, be located within the EU to ensure that the DPO is accessible to the business. Further, businesses are advised to keep a written copy of the decision making which lead to the appointment of the DPO (as part of their wider accountability obligations). This should be repeated each time the appointment changes.
It’s Lonely Over Here – Autonomous and Independent
The role of the DPO is not an operational one but one that involves monitoring for compliance and providing advice to the business. The role should be carried out in an autonomous and independent manner. In other words, the business must not instruct the DPO on how to perform his or her role. The DPO must be allowed to operate above any conflicts of interests that occur within the business, with internal rules and safeguards to facilitate this. For this reason, the Guidance bans individuals within an organisation who have senior management roles or who have operational roles which cause them to determine the purposes and means of processing.
Outsource the Problem?
A white paper published by the International Association of Privacy Professionals estimates that up to 75,000 DPOs will be needed as a result of GDPR. It is not immediately apparent where these individuals will come from.
One solution may be to outsource the DPO role to a third-party provider, that is to buy a DPO as Service solution from one of the growing number of providers positioning themselves in this space. Helpfully, Article 37(5), GDPR expressly provides that the DPO can be either a staff member or a contractor.
Outsourcing may be particularly attractive to SMEs given cost, time and other such pressures. However not every business needs to appoint a DPO, and as mentioned above, voluntary appointment brings with it a number of regulatory burdens which would not otherwise apply. That said, in today’s business environment, many SMEs may decide to appoint a DPO from a “best practice” perspective. Reasons to do this include the ability to tender for contracts where large customers and public sector bodies determine that the qualification criteria should include having a DPO as well as wanting to demonstrate to the public that data is handled and processed carefully and securely in a manner that complies with applicable laws and regulations.
As with any outsourcing, it is important to allocate sufficient time to assess the market and to conduct adequate due diligence on the shortlisted providers. As mentioned above, documenting the decision-making process and criteria applied in the selection of the DPO is also a GDPR requirement.
DPO as a Service – Market Assessment
In considering the different DPO as a Service offerings in the market, as well as determining whether to outsource or not, a number of factors will come into play, such as the size, and nature, of the organization, the existence of internal competences (including the ability (or otherwise) to ring-fence the DPO away from any conflicts that may arise), the categories of personal data processed, the complexity of the processing, digital transformation and automation plans, etc.
From a vendor evaluation perspective, key issues include access to relevant expertise (including ensuring that the individual who will perform the role has appropriate experience and qualifications such as Certified Data Protection Officer Certification), as well as pricing, service levels, reporting and exit support.
As yet, the market for DPO as a Service appears fairly immature, with largely smaller providers alongside organisations such as the British Standards Institute offering outsourced DPO services. It can be expected that this market will grow rapidly. In a recent blog discussing the opportunity for IT vendors to develop service offerings for customer’s GDPR compliance needs, analyst Mike Smart wrote that NelsonHall expects DPO outsourcing to grow fast and “expects to see a number of distinct offers around DPO emerge from IT services and law firms very soon.”
A word of caution for law firms however. The DPO must be able perform their duties in an independent manner and not cause a conflict of interest. That might, as pointed out in the Guidance, mean that where there is an external DPO appointment of a lawyer in a law firm providing day-to-day DPO services, that person’s firm become conflicted out of representing those entities before courts in cases involving data protection issues, not to mention related issues around managing the conflicts (under applicable professional rules) that might arise with the law firms’ other clients. For this reason, law firms may look to create DPO as a Service businesses which are ring-fenced from their core legal services businesses.