Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
WP29 GDPR Guidelines: Data Protection Officers
Article 29 Working Party provides new guidelines with respect to data protection officers under the GDPR.
The Article 29 Working Party (WP29), an advisory body made up of national data protection officers from across European Union (EU) Member States, has published three sets of guidelines on how the incoming General Data Protection Regulation (GDPR) will work in practice (Guidelines).The Guidelines focus on three separate issues: data protection officers; data portability; and lead supervisory authorities. These three issues will all place new obligations on some organisations under the GDPR which will come into force in May 2018.
You can see our previous blog posts on GDPR developments here.
This blog post will focus on the Guidelines on data protection officers.
The obligation to appoint a data protection officer (DPO)
Under the incoming GDPR it will be mandatory for certain data controllers and processors to appoint a designated DPO. The Guidelines clarify the circumstances under which a DPO must be appointed.
All public authorities and bodies must appoint a DPO regardless of the type of personal data they process. For all other ‘non-public’ organisations, a DPO must be appointed where systematic monitoring of individuals on a ‘large scale’ is part of their ‘core business’ or where an organisation processes special categories of personal data on a ‘large scale’.
Benefits of appointing a DPO
The WP29 believes that appointing a DPO encourages accountability and facilitates compliance with applicable data protection laws. In addition, DPOs act as intermediaries between relevant stakeholders, particularly within larger organisations.
Organisations that are not required by law to appoint a DPO may do so voluntarily, although it should be noted that DPOs who have been voluntarily appointed still attract the same protection as mandatory DPOs.
‘Core activities’
Personal data processing must form part of an organisation’s ‘core activities’ rather than its ‘ancillary activities’ in order to trigger the requirement to appoint a DPO under the GDPR.
It may be difficult for some businesses to determine what constitutes a core activity for the purposes of the GDPR. The WP29 recommends assessing the ‘key operations’ which form part of a controller or processor achieving its objectives and any processing which could be considered an ‘inextricable part’ of the controller or processor’s activity.
Processing personal data for general administrative functions such as paying staff or IT support would not, on its own, trigger the need to appoint a DPO. However, the WP29 gives the example of a hospital: its key objective is to provide healthcare, but this objective cannot be met without processing patient data, therefore data processing would be considered a core activity.
‘Large scale’ processing
It is not clear what degree of processing is required in order for processing to be considered ‘large scale’ and therefore trigger the need for a DPO to be appointed. The Guidelines set out factors that should be considered when determining whether processing constitutes ‘large scale’ including: the number of data subjects concerned; the volume of the data; the duration of processing; and the geographical extent of the processing.
The Guidelines also give some practical examples of what would be considered large scale processing for the purpose of the GDPR including the processing of personal data for behavioural advertising by a search engine or the processing of customer data in the regular course of business by an insurance company or a bank. The WP29 proposes to continue to share and publicise examples of large scale processing going forward.
Special protection
The GDPR establishes basic guarantees to help ensure that DPOs are able to perform their tasks independently. Organisations must implement safeguards which include not allowing the DPO to be dismissed or penalised by the controller for the performance of his/her tasks, avoiding conflicts of interest and not prescribing how a DPO should perform his/her tasks.
It is these safeguards which ensure that DPOs maintain their special status as independent advisors and “key players in the new data governance system”.
WAB Comment
The WP29 Guidelines give useful examples that will help organisations understand if they are required to appoint a DPO. However, many of the obligations regarding the appointment of DPOs under the GDPR are still unclear.
The position of a DPO, with its protected status, will be new to many businesses. Given the increased penalties that can be issued to non-compliant businesses under the GDPR, businesses will be keen to ensure that they are complying with their obligations to appoint a DPO and will no doubt welcome further guidance to clarify those issues which remain uncertain.
You can access the data protection officer Guidelines here and the frequently asked questions here.
This blog post was written by Amelia Day, trainee solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.