New guidance concerning mandatory DPOs
Will you need to appoint?
When we first looked at the GDPR we were asked by our clients if we thought they would be caught by Article 37 of the regulation – the mandatory requirement to nominate a DPO. While it seemed to us that many might well fall under the scope of the requirement we have been waiting for guidance to make it clearer the first of which was published on 13th December by the body comprising national data protection authorities from each member state of the EU (including our ICO) responsible for providing expert advice from the national level to the European Commission on data protection matters known as the Article 29 Working Party or WP29.
To recap GDPR requires organisations to have a DPO by law in the following circumstances:
Where a controller or processor is:
a) a public authority or a public body[2];
b) undertaking large-scale processing of special categories of personal data and data relating to criminal convictions and offences as a core activity;
c) undertaking large-scale regular and systematic monitoring of data subjects as a core activity.
The guidance provides some definition of “large-scale” along with thoughts as to the types of organisations that might be considered “public bodies”.
Individual Documented Analysis
While the guidance is easy to read and assimilate it cannot be expected to provide all of the answers for every organisation in Europe and the WP29 guidelines advise, “Unless it is obvious that an organisation is not required to designate a DPO, the WP29 recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly.” This is sensible advice, a good starting point, and a course of action we at Data Protection People have been suggesting for some time: you should undertake a thorough analysis of your own situation having reviewed the WP29 paper and the GDPR, and make and document your findings and decision.
This is another great example of GDPR’s drive to push us to maintain better documentation about our governance regime and decision-making.
We at DPP expect to publish a framework to assist with this analysis in the New Year but suffice to say you probably should have determined your need for a DPO by the Spring of 2017.
Factors to Consider
The WP29 paper does not give all the answers for all industrial sectors but it does give us some really good pointers setting out its view regarding testing your circumstances against the qualification criteria the first of which is whether an organisation is a public authority or public body.
Public Authority or Public Body
Public authorities are generally pretty easy to identify but there are a very large number of organisations providing public services, carrying out public tasks or exercising public authority that might be classified as public bodies including many private companies. The guidance mentions public housing, public transport, and utilities as being organisations which would fall into this category and which therefore should appoint a DPO in accordance with Article 37. However it recommends national laws of each state determine which organisations fall within the definitions of public authority/body to allow for the variations in how public services are delivered across the 28 member states and 510 million citizens so watch out for further clarification.
Core Activities
As expected WP29 believe that core activities should not be interpreted restrictively. While the core activities of a housing association are building homes and providing tenancies, they could not achieve this without processing tenant data and therefore the data processing activities should be considered to be one of the housing providers’ core activities. No surprise there!
Large Scale
WP29 goes on to explore what might constitute a “large scale” and tells us to consider the following:
The number of data subjects;
The volume of data and range of different data items being processed;
The duration or permanence of data processing;
Geographical extent of processing.
This then is not just about large volumes of data subjects but involves applying other applications of the word “large” to the data processing. WP29 goes on to give examples of what it considers large-scale processing:
Processing patient data by a hospital;
Processing travel data of individuals using a city’s passenger transport service;
Processing customer data by an insurance company or a bank.
So would a large 20,000+ housing association be processing as much data as a small hospital? Would it cover a broader geographic area? Might it processes and equally broad range of data? In many cases I think it quite likely. Would a large premier league football club be processing as much and as varied data over as broad a geographic area as an insurance company? In my 15+ years’ experience working in the football sectors I can think of numerous examples where it would.
Regular and Systematic Monitoring
WP29 break this down into “regular” and “systematic” and gives some examples of data processing activities that it considers would be caught by this qualification criteria. Email retargeting, profiling and scoring for the purposes of risk assessment, closed circuit television, and the use of connected devices such as smart meters and home automation are all cited as examples of regular and systematic monitoring likely to fall within the scope of the GDPR requirement for a mandatory DPO. The interpretation of what might be regular and also what might be systematic are broad based and WP29 advises against narrowly interpreting “monitoring” to mean online.
Special Categories of data and data relating to criminal convictions and offences
WP29 concludes that there is a typo in GDPR suggesting that “the processing of special categories of data pursuant to Article 9, and personal data relating to criminal convictions and offences set out in in Article 10” should be read as saying “or” rather than “and”. So if you’re an organisation offering care services, or re-housing offenders, or handling large volumes of special categories of data – then again you may well be caught by this interpretation of the provision.
The purpose of the DPO
As final qualification criteria to be considered in an individual assessment the guidance contains a powerful sentence providing an overall steer as to why you may elect to appoint a DPO in borderline cases advising that where individuals have, “little or no choice over whether and how their data will be processed (they) may thus require the additional protection that the designation of a DPO can bring.” A very clear steer regarding the role of the DPO.
We have long considered good data governance to be a source of commercial competitive advantage and if the DPO is doing the role envisaged by GDPR, then this will provide assurance to data subjects.
Conclusion
Rolling this all together and considering the way forward, it seems highly likely to us that many of our clients may well be caught by the qualification criteria on a number of counts. For example in the case of social housing providers:
a) May be deemed public bodies;
b) May be processing a sufficiently large and varied volume of data as a core activity;
c) May well be using profiling to risk assess rental arrears;
d) May be processing special categories of personal data on a sufficiently large scale.
First job is to undertake a deep dive into your operations and document your findings as recommended by WP29. If after this exercise has been completed there is evidence that the criteria points will be met, meaning that a DPO may be mandatory, our advice is to set about determining how best to fill the role: internal expert resource or a bought-in specialist. The last thing you need is to be under pressure in 2017 to find a DPO who meets the expectations of the GDPR.
Philip Brining
DPP
Data Protection People are expert data protection consultants based in Leeds.
[2] Except for courts acting in their judicial capacity