New guidance concerning mandatory DPOs – Will you need to appoint?

By Andrew Mason

Background

When we first looked at the GDPR we were asked by our clients if we thought they would be caught by Article 37 of the regulation – the mandatory requirement to nominate a DPO.  While it seemed to us that many might well fall under the scope of the requirement we have been waiting for guidance to make it clearer the first of which was published 13th December[1] by the body comprising national data protection authorities from each member state of the EU (including our ICO) responsible for providing expert advice from the national level to the European Commission on data protection matters known as the Article 29 Working Party or WP29.

To recap GDPR requires organisations to have a DPO by law in the following circumstances:

Where a controller or processor is:

  1. a) a public authority or a public body[2];
  2. b) undertaking large scale processing of special categories of personal data and data relating to criminal convictions and offences as a core activity;
  3. c) undertaking large scale regular and systematic monitoring of data subjects as a core activity.

The guidance provides some definition of “large-scale” along with thoughts as to the types of organisation that might be considered “public bodies”.

Individual Documented Analysis

While the guidance is easy to read and assimilate it cannot be expected to provide all of the answers for every organisation in  Europe and the WP29 guidelines advise, “Unless it is obvious that an organisation is not required to designate a DPO, the WP29 recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly.”  This is sensible advice, a good starting point, and a course of action we at Data Protection People have been suggesting for some time:  you should undertake a thorough analysis of your own situation having reviewed the WP29 paper and the GDPR, and make and document your findings and decision.

This is another great example of GDPR’s drive to push us to maintain better documentation about our governance regime and decision-making.

We at DPP expect to publish a framework to assist with this analysis in the New Year but suffice to say you probably should have determined your need for a DPO by the Spring of 2017.

Factors to Consider

The WP29 paper does not give all the answers for all industrial sectors but it does give us some really good pointers setting out its view regarding testing your circumstances against the qualification criteria the first of which is whether an organisation is a public authority or public body.

Public Authority or Public Body

Public authorities are generally pretty easy to identify but there are a very large number of organisations providing public services, carrying out public tasks or exercising public authority that might be classified as public bodies including many private companies.  The guidance mentions public housing, public transport, and utilities as being organisations which would fall into this category and which therefore should appoint a DPO in accordance with Article 37.  However it recommends national laws of each state determine which organisations fall within the definitions of public authority/body to allow for the variations in how public services are delivered across the 28 member states and 510 million citizens so watch out for further clarification.

Core Activities

As expected WP29 believe that core activities should not be interpreted restrictively.  While the core activities of a housing association are building homes and providing tenancies, they could not achieve this without processing tenant data and therefore the data processing activities should be considered to be one of the housing providers’ core activities.  No surprise there!

Large Scale

WP29 goes on to explore what might constitute a “large scale” and tells us to consider the following:

  • The number of data subjects;
  • The volume of data and range of different data items being processed;
  • The duration or permanence of data processing;
  • Geographical extent of processing.

This then is not just about large volumes of data subjects but involves applying other applications of the word “large” to the data processing.  WP29 goes on to give examples of what it considers large-scale processing:

  • Processing patient data by a hospital;
  • Processing travel data of individuals using a city’s passenger transport service;
  • Processing customer data by an insurance company or a bank.

So would a large 20,000+ housing association be processing as much data as a small hospital?  Would it cover a broader geographic area?  Might it processes and equally broad range of data?  In many cases I think it quite likely.  Would a large premier league football club be processing as much and as varied data over as broad a geographic area as an insurance company?  In my 15+ years’ experience working in the football sectors I can think of numerous examples where it would.

Regular and Systematic Monitoring

WP29 break this down into “regular” and “systematic” and gives some examples of data processing activities that it considers would be caught by this qualification criteria.  Email retargeting, profiling and scoring for the purposes of risk assessment, closed circuit television, and the use of connected devices such as smart meters and home automation are all cited as examples of regular and systematic monitoring likely to fall within the scope of the GDPR requirement for a mandatory DPO.  The interpretation of what might be regular and also what might be systematic are broad based and WP29 advises against narrowly interpreting “monitoring” to mean online.

Special Categories of data and data relating to criminal convictions and offences

WP29 concludes that there is a typo in GDPR suggesting that “the processing of special categories of data pursuant to Article 9, and personal data relating to criminal convictions and offences set out in in Article 10” should be read as saying “or” rather than “and”.  So if you’re an organisation offering care services, or re-housing offenders, or handling large volumes of special categories of data – then again you may well be caught by this interpretation of the provision.

The purpose of the DPO

As a final qualification criteria to be considered in an individual assessment the guidance contains a powerful sentence providing an overall steer as to why you may elect to appoint a DPO in borderline cases advising that where individuals have, “little or no choice over whether and how their data will be processed (they) may thus require the additional protection that the designation of a DPO can bring.”  A very clear steer regarding the role of the DPO.

We have long considered good data governance to be a source of commercial competitive advantage and if the DPO is doing the role envisaged by GDPR, then this will provide assurance to data subjects.

Conclusion

Rolling this all together and considering the way forward, it seems highly likely to us that many of our clients may well be caught by the qualification criteria on a number of counts.  For example in the case of social housing providers:

  1. a) May be deemed public bodies;
  2. b) May be processing a sufficiently large and varied volume of data as a core activity;
  3. c) May well be using profiling to risk assess rental arrears;
  4. d) May be processing special categories of personal data on a sufficiently large scale.

First job is to undertake a deep dive into your operations and document your findings as recommended by WP29. If after this exercise has been completed there is evidence that the criteria points will be met, meaning that a DPO may be mandatory, our advice is to set about determining how best to fill the role: internal expert resource or a bought-in specialist.  The last thing you need is to be under pressure in 2017 to find a DPO who meets the expectations of the GDPR.

Philip Brining

DPP

Data Protection People are expert data protection consultants based in Leeds.

[1] Article 29 Data Protection Working Party Guidelines on Data Protection Officers 13/12/2016 accessed on 19/12/2016 from http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf

[2] Except for courts acting in their judicial capacity

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.


    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    IMPORTANT INFORMATION

    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021