Do You Need to Appoint a Data Protection Officer?

Transcript of the Video

Good evening, it's Suzanne Dibble here, data protection law expert coming to you raw and uncut, particularly raw this evening because I've got an absolutely cracking headache. But as I committed to do a video a day for you until GDPR comes into force, here I am.

So the question that we're going to talk about today is, do you need to appoint a data protection officer? The questions have already been asked in the group actually, so obviously, some of you are familiar with the fact that there are certain organizations that are going to have to appoint a data protection officer.

I think the draft of the GDPR actually suggested that anybody with less than 250 employees wouldn't have to appoint a data protection officer, but that's gone away now. It's a different test, so I just want to tell you what that is. I'm going to read a lot of it out because my brain won't work as well I want it to at the moment.

Okay so there's, if you fall into these particular categories then appointing a data protection officer is mandatory, and there are specific fines for not actually appointing the data protection officer. So it's key that you work out whether you do need to, or you don't need to worry about it.

So the DPO is required where the processing is carried out by a public authority or body. So more than likely most of you, all of you in this group aren't going to fall into that category. It's the next two that you've got to worry about, and as if often the case it's not entirely clear what this means. There is some Working Party guidance on it, which I'll be talking you through in a bit. But the first is that where the core activities of the controller or the processor consist of processing the operations, which require regular and systematic monitoring of data subjects on a large scale.

I'm just going to scroll down to what the Working Party guidance says on that. Now they're breaking it down into the various words used in that, so core activities were one of them. What does core activity mean? It should not be interpreted as excluding activities where the processing of data forms an inextricable part of their activity. They give an example of a hospital, now the core activity of a hospital is to provide health care. But a hospital could not provide health care safely and effectively without processing health data, such as patient’s records. Therefore processing that data should actually be considered to be one of the hospital’s core activities, and therefore hospitals have to designate, have to appoint data protection officers.

They give another example of a private surveillance, sorry, private security company that carries out surveillance on a number of private shopping centers and public spaces. Surveillance is the core activity of the company, which in turn is inextricably linked to the processing of personal data. So they must also designate a data protection officer. Just noted there are some very strange things going on with the light in the background, so if that's distracting your apologies for that.

On the other hand, all organizations carry out certain activities such as paying employees or having standard IT support activities. Those are necessary support functions to support the core activity or the main business. Even though those activities are necessary, or essential, they're usually considered ancillary functions rather than the core activity. So that's a little bit of guidance on what core activity actually means.

Then we go onto to look at what does large-scale mean. They're not able to do PR and indeed the Working Party isn’t able to give a number of threshold at which something becomes large scale. But the Working Party have recommended that the following factors be considered in determining whether you are actually processing on a large-scale or not. Those are, the number of data subjects concerned, as you might imagine, either as a specific number or as a proportion of the relevant population. The volume of data and or the range of different data items being processed. The duration or permanence of the data processing activity, and the geographical extent of the processing activity.

They do... This light’s bonkers, isn't it? I don't know what's going on with it, I think it's just because I'm leaning forwards and backwards, and the phones altering the light automatically. So examples of large-scale processing include, as we said processing of patient data in the regular course of a business by a hospital. Processing of travel data of individuals using a city’s public transport system. Processing real-time GO location data of customers, in an international fast food chain for statistical purposes. These are quite random examples, aren't they? Processing of customer data in the regular course of business by an insurance company or a bank. Processing personal data for behavioral advertising by a search engine, processing of data by telephone or internet service providers.

Okay, they're examples of large-scale processing. Examples that don't constitute large-scale processing include, just two examples of this, processing patient data by an individual physician. Too late to say that word. Processing of personal data relating to criminal convictions and offenses by an individual lawyer. Okay, now we come onto what's regular and systematic monitoring. Again, it's not defined, rather helpfully. But it is mentioned in Recital 24, and it clearly includes all form of tracking and profiling on the internet, including for the purposes of behavioral advertising. But it's not restricted to the online environment and online tracking should only be considered as one example of monitoring the behavior of data subjects. So it's wider than online monitoring.

So what does regular mean? Well, it means ongoing, or occurring at particular intervals for a particular period or recurring or repeated at fixed times. Or constantly, or periodically taking place. The Working Party interprets systematic as meaning one or more of the following. Occurring according to a system, prearranged, organized or methodical. Taking place as part of a general plan for data collection, carried out as part of a strategy.

Okay, so examples that may constitute regular and systematic monitoring are, operating a telecoms network. So if we have anyone in the group who operates a telecoms network then chances are you're going to have to appoint a data protection officer. If you provide any telecommunication services you'll have to appoint a DPO. Profiling and scoring for purposes of risk assessment EG: credit scoring, the establishment of insurance premiums, forward prevention, detection of money laundering. Location tracking, for example by mobile apps. Monitoring of wellness, fitness and health data via wearable devices. Closed circuit TV, and connected devices EG: smart meters, smart cars, home automation etcetera.

Now the interesting ones for this group, and I don't imagine that anyone in this group falls into any of those categories that I've mentioned. But the interesting ones that they do mention are email retargeting, data-driven marketing activities, loyalty programs, and behavioral advertising. So I think certainly with the email retargeting we're going to have some people in this group who do fall into that category. So let’s just recap the general clause, so that you can see whether you fall into this or not. Where has it gone?

So where the core activities, and we talked about what that means, where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. Okay so with that email retargeting, it's whether your core activities require that regular and systematic monitoring of data subjects, and whether it's on a large-scale or not. So there are quite a lot of criteria there to consider. Please don't go away with the impression that if you do any email retargeting that you've got to go and appoint a DPO.

So those criteria again, because it is I know, this is quite complex. It's where the core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. Now I imagine that most people in the group are not going to fall into that category, please do ask in the comments below if you feel that there is a risk that you do fall into that category, and we can take it a bit further.

Now the next type of business that is going to need to appoint a data protection officer is where the core activities consist of processing on a large-scale of special categories of data. So that's the sensitive data that we've been talking about. Things like health data, race data, and political persuasion etcetera. I've previously posted in the group what those categories are, and I'll do so again in this video, in the comments. So you're either processing on a large- scale of special categories of data or personal data relating to criminal convictions and offenses.

Now I suspect that nobody in the group is processing in relation to criminal convictions and offenses. But there probably are people who are processing special categories of data, sensitive data. Now the key word there obviously is on a large scale. So let's see if there's any separate guidance on a large scale. Okay, they've given some examples here that I'm just going to read out.

Okay so, and this is actually talking about targeted advertising and marketing, so this would be quite useful for us. So a small family business active in the distribution of household appliances, in a single town, uses the services of a processor whose core activity is to provide website analytic services and assistance with targeted advertising and marketing. The activities of the family business and its customers do not generate processing of data on a large scale. Considering the small number of customers and the relatively limited activities. However, the activities of the processor, having many customers like this small enterprise taken together, are carrying out large-scale processing.

So the processor must, therefore, designate a data protection officer, under Article 37. At the same time, the family business itself is not under an obligation to designate a DPO, which is what you'd expect isn't it really? So the provider of the website analytic services, and providing advertising and marketing services that are targeted, they have to appoint a DPO. But the consumer of those services, the small family business doesn't have to appoint a DPO.

They give another example there, a medium sized tile manufacturing company, I do sometimes wonder how they dream up these examples. A medium sized tile manufacturing company subcontracts it's occupational health services to an external processor, which has a large number of small clients. The processor shall designate a DPO under Article 37, provided that the processing is on a large scale. However, the manufacturer is not necessarily under an obligation to designate a DPO. So this is obviously the entity that is providing as a service, occupational health services, they need to designate a DPO because they will be processing tentative data on a large scale. The medium sized tile manufacturing company probably won't need to designate a DPO.

Okay, so I think that is all the guidance. Let me just check. Now if you do need a DPO there are lots in the Act about actually who you can appoint as a DPO because they do prescribe what expertise and skills the DPO need to have. There's also quite a lot of detail about what they actually need to do and how they do it. So it is quite involved actually, and if you do think that you do need to appoint a DPO then let me know and we can look into that further for you.

I think the general point that you should take away from this is that you are unlikely to need to appoint a data protection officer. But if any of those areas concern you then comment on the video and we can have a further chat about that, and whether you are likely to. Because as I say, it is very important that you do get it right because there are specific fines for failing to appoint a DPO when you need to do so.

Okay, so hope that made sense. I know that was a bit of reading from the screen, but my head really hurts at this stage in the evening. So forgive me for doing that. But I'm really looking forward to the webinar on Wednesday, hope lots of you have registered for that. That's going to be really full two-hour training with some Q&A in there as well. That will really give you a good overview of GDPR, why it's come about. I think particularly importantly it's what will be the regulator’s attitude toward non-compliance. I think as small business owners that's probably the most important thing that we need to be thinking about. I think it's brilliant actually that so many of you are asking questions at such level of detail. About things like what happens if I store business cards.

But you know there's always a risk assessment in these matters and I think we'll have a really good discussion about what steps do you need to be taking towards compliance? What's the sensible approach for small business owners? It's not something that I certainly don't want you to lose sleep over. But there are a few sensible steps you can be taking and that is what I'll be talking about on the training. Right, I'm going to go to bed, I hope that was useful, I'll speak to you soon.