Outsourcing the role of the Data Protection Officer

On 25 May this year, the EU General Data Protection Regulation will come into force. The “GDPR”, as it is commonly known, brings in a new approach to data protection across the EU, with a marked focus on self-regulation and internal accountability. From this date, many businesses and other entities such as charities (as well as most public authorities and public bodies) will have to appoint an individual to act as their Data Protection Officer (“DPO”) regardless of whether they operate as data controllers or as data processors.

Apart from public authorities, a number of other entities will, in most cases, be required to appoint a DPO. These include entities whose core activities involve large scale regular and systematic monitoring of individuals; large scale processing of special categories of personal data (sensitive data such as information about race, ethnic origin and religious beliefs, sexual preferences, health, genetic and some biometric data); and handling data relating to criminal convictions and offences. For these entities, failing to appoint a DPO when required could be expensive, with the potential for very large fines in the worse cases.

Businesses should keep a written copy of the decision making process that leads to the appointment of the DPO (as part of their wider accountability obligations) and this process should be repeated each time the appointment changes. If they decide against appointing a DPO, they should also document their reasons for this.

Are you required to appoint a DPO?

Determining whether or not you are caught by the rules will be straightforward in some cases, but more difficult in others. Concepts such as “core activities”, “regular and systematic monitoring”, and “large scale” will need to be carefully considered. Fortunately, these and other relevant terms are explained in more detail in Guidelines that have been published by an independent EU data protection advisory body called the Article 29 Working Party. For example, the Guidelines explain that a controller or processor’s “core activities” are those “key operations necessary to achieve” its goals and not ancillary activities requiring personal data to be processed. For example, the core activity of a hospital is providing health care, however the hospital’s processing of personal data is an inseparable part of its (core) activities, as it could not provide healthcare without processing its patients’ health records and other medical data.

The Guidelines provide valuable insight into the sometimes complex landscape of GDPR and are recommended reading. They will also assist the DPO with fulfilling their requirement to facilitate an organisation’s compliance with GDPR, through implementing accountability tools such as data protection impact assessments and carrying out (or facilitating) audits.

See also:

• Cisco: 53% of companies surveyed lost $500,000 from cyberattacks last year

• How data-mapping and policy automation can help companies prepare for GDPR

• Business, Brexit and the GDPR

What does a DPO do?

The role of the DPO is not an operational one. Instead, it will involve monitoring for compliance and providing advice to the business in an autonomous and independent manner. This means that the business must not instruct the DPO how to perform his or her role.  However, the DPO will still need top-down support from senior management as well as access to key employees and other resources to fulfil his or her role. The DPO should also have appropriate professional qualities and expert knowledge of data protection law, although the required level of expertise will vary depending on the business. He or she will also need to understand the actual processing activities carried out, related information technology and data security issues and be able to promote a data protection culture across the business.

Could outsourcing the DPO role be the solution?

Given the specific requirements for the candidate and necessity for the role to be autonomous, organisations may struggle to find the right person internally. However, the GDPR states that the DPO can also be an external contractor appointed under a service contract and, in light of this, outsourcing may be a good solution. The contract must guarantee the independence of the DPO and should contain a clear description of the tasks and responsibilities to be performed, including the nomination of a lead individual where the tasks are to be performed by a team, as well as pricing, service levels, reporting and exit support.

Outsourcing may be particularly attractive to SMEs given cost, time and other similar pressures. As with any outsourcing, it is important to allocate sufficient time to assess the market and to conduct adequate due diligence on the shortlisted providers, in order to identify issues such as guaranteeing access to relevant expertise and ensuring that the individual who will perform the role has appropriate experience and qualifications, such as Certified Data Protection Officer Certification. The decision-making process and criteria applied in the selection of the DPO must be documented. Relevant factors will include the size, and nature, of the organisation; the existence of internal competences (including the ability (or otherwise) to ring-fence the DPO away from any conflicts that may arise); the categories of personal data processed; and the complexity of the processing, digital transformation and automation plans.

Conclusion

Although not every business will need to appoint a DPO, many SMEs will decide to appoint one from a “best practice” perspective. Reasons for doing this include the ability to tender for contracts where large customers and public sector bodies determine that the qualification criteria should include having a DPO, as well as wanting to demonstrate to the public that data is handled and processed carefully and securely in a manner that complies with applicable laws and regulations.

Whether the decision is made to appoint a staff member or a contractor as DPO, the position of DPO in any organisation will be an important appointment to which adequate time and diligence should be devoted. No matter the approach, it is important that the decision making process should be documented in all cases.

Tim Wright, Partner and Steven Farmer, Counsel in Pillsbury’s Global Sourcing & Technology Transactions group