The early drafts of the GDPR contained different criteria for determining when the designation of a DPO was mandatory which included for example, organisations employing more than 250 people or processing more than 5,000 personal data records. It surprises me that some people still believe that this still the case. In its final form the complexity, potential impact and scale of the processing activities rather than the size of the organisation are the determining factors. In the UK, DPOs are mandatory for most public authorities and for organisations whose core activities involve processing operations comprising large-scale processing of special category personal data or personal data relating to criminal convictions and offences or ‘regular and systematic monitoring of data subjects’. The rules may vary in other Member States of the EU.
The obligation to appoint a DPO applies equally to controllers and processors. Articles 37, 38 and 39 and Recital 97 provide the detail. Recital 97 describes a DPO as, a person with, ‘expert knowledge of data protection law and practices’ who ‘should assist the controller or processor to monitor internal compliance with the Regulation and who, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.’
There are several important points to note here:
- a DPO does not have to be an employee;
- they are there to assist and organisation to monitor compliance;
- they should be able to operate independently;
- they need to have expert knowledge not only of data protection law, but also how to apply it in practice.
So, for those wondering if they can engage a third party to act as their DPO, outsource, the answer is clearly “yes”.
Select your DPO with care
But select that person with care because they could be the difference between making good decisions and decisions which are either non-compliant or which un-necessarily tie your operations up in red tape. I can recount many occasions where I have been told, DPO says “no!’ through an overly cautious or plainly incorrect interpretation of the law.
The ability to work well with data protection law comes from having a detailed understanding of it: not just what it says in black and white in the Articles, but how it is interpreted by the courts, the Supervisory Authorities, by leading practitioners and academics. And we need to read outside of our own shores. The European Data Protection Board have published opinions that a DPO should be familiar with. The Spanish and French Supervisory Authorities have both produced excellent materials on data protection officers and impact assessments respectively. In fact, one or two items produced by the ICO are woolly and narrowly focussed which could easily lead to incorrect assumptions being made by DPOs with limited reading. An effective DPO must be a student of the law – someone who enjoys reading about and considering law.
These skills must be complemented by pragmatism. An effective DPO also needs to have ‘been there’. They need to understand how organisations work in reality, what measures are easy to implement and what measures are difficult to make stick. They need to know what implementation actually is!
The DPO is there to advise – not necessarily to ‘do’. Using their expert knowledge and practical understanding of the operations they are advising on, they should provide advice and guidance to the rest of the organisation – the one’s involved in the data collection, writing of marketing materials, commissioning of data processors, sharing of data etc. They are not precluded from ‘doing’ but must guard against having a conflict of interest. The DPO cannot ensure compliance, they can only help change culture and work practices by monitoring and pointing out things that are not right or which could be improved. Ultimately the people handling the personal data and making decisions about how personal data are processed are the ones who can ensure compliance.
Monitoring data protection
Perhaps the most important aspect of the DPO’s duties is monitoring compliance. The purpose of monitoring is to be in a position to highlight areas of non-compliance or areas at risk of being non-compliant to management and/or those in charge of processing activities. Monitoring can be achieved in a number of ways including on-site methods such as: monitoring by walking about; conducting compliance checks and formal audits; and holding data protection surgeries and workshops. But it can also be achieved remotely for example: through regular telephone contact with key people; documentation review; and through monitoring key performance indicators (KPIs) which in this field are metrics such as the number of hours of data protection training undertaken each month, reported security incidents, data subject rights requests, DPIAs/LIAs undertaken etc. These KPIs are looking for quantitative information that indicates the ‘health’ of the data protection management arrangements. If all the dials on zero or in the red, then you are likely to have problems somewhere in your data protection management system or operations.
Arguably the most effective monitoring and that which is done with the most independence and objectivity (i.e. unhampered by internal politics, relationships, history or other such baggage), is that undertaken by an outsourced DPO. A professional DPO is likely to have several clients and therefore a breadth to their experience and knowledge. They will observe best practice developing in one client and be able to suggest it to others. They may be part of a team and therefore have an expert sounding board to check their advice before putting forward suggestions as well as being able to provide holiday cover in the event of an emergency such as a personal data breach.
A good way to think about a DPO is to draw a parallel to a Health and Safety Manager. They cannot ensure everyone works in a safe manner, but they can monitor, advise, set out the rules and help change culture. In the field of health and safety the concept of ‘zero tolerance’ is well rooted. It is time everyone adopted this ethos towards data protection. Compliance and continual improvement is everyone’s responsibility – not that of the DPO.
When pitching for work as the Outsourced DPO we often come up against companies offering to act as a DPO for as little as £300 per year. While you may think that this is an absolute bargain, pause for a while and think again. All of the functions of a DPO are time-related. Monitoring takes time, advising takes time, reviewing things takes time. One needs a lot of clients paying £300 p.a. to make a living and/or run a business and in this case, lots of clients leads to insufficient time spent on each account. Paying too little for a DPO seems a dangerous pursuit giving the false sense of comfort and coverage.
So, the short answer is that you can outsource your DPO function and in some respects you are best to do this. But select them carefully as they may be the difference between compliance, compliance with a detrimental impact on business efficiency, and non-compliance. The worst position to be in is thinking that you have the DPO role fully covered when in fact you are exposed. Draft a job specification to define precisely what you expect from an outsourced DPO and a defined work methodology and service level agreement. It’s high stakes if you get it wrong.