We’re now less than a year away from the General Data Protection Regulations (GDPR) coming into force. As there’s still a lack of surety as to the extent of obligations under GDPR, over the coming months we’re going to address the most common concerns we’ve encountered.
One thing you can be absolutely sure of in relation to the GDPR is that any organisation that collects, stores and / or processes the personal data of EU residents must comply to some extent with it. One particular requirement is causing more uncertainty than others and that’s Article 37 – Designation of the Data Protection Officer (DPO).
The DPO is a regulated function carrying significant responsibility and a prescribed set of minimum requirements. A failure of that function will be subject to a penalty of €10,000,000 or 2% of turnover. We’ve found that the main area of confusion surrounding the DPO requirement is its scope – does it apply to my organisation?
Earlier GDPR drafts restricted the DPO requirement to organisations with more than 250 employees or to those processing the data of 5,000 or more data subjects but those restrictions don’t exist in the final version. If your organisation is a public authority or body then it’s fairly straightforward; come 25/05/2018, when the GDPR is in force, it will have to have a DPO in place. For organisations in the private sector it’s not so clear cut; whether or not they need to appoint a DPO depends on their core activities including the following:
- Large scale, regular and systematic monitoring of data subjects
- Large scale processing of special categories of data or of personal data relating to criminal convictions and offences.
The grey area surrounds the interpretation of the terms core activities, large scale and regular and systematic. Because the regulator doesn’t offer definitive guidance on these terms, the requirement now occupies the same compartment in our compliance worries as those that refer to material, adequate and nature, scale and complexity and, just as with those requirements, context is key. To establish whether or not you need to comply with Article 37 you must examine your organisation’s core activities, establish whether or not they include the above activities and then determine whether those activities are large scale or not. Fortunately, the Article 29 Data Protection Working Party (WP29) – an advisory group made up of a representative from the Data Protection authority of each EU Member State, the European Data Protection Supervisor and the EU Commission – have published Guidelines on Data Protection Officers that go quite a way towards clarifying those terms.
WP29 tells us that core activities “can be considered as the key operations necessary to achieve the [organisation’s] goals” but warn that the term “should not be interpreted as excluding activities where the processing of data forms an inextricable part of the [organisation’s] activity”. They give an example of a hospital where the core activity of healthcare provision could not be carried out without processing their patients’ health records. In a situation such as this the processing of sensitive data should be considered a core activity and the controller / processor must appoint a DPO. But WP29 goes on to say that activities such as employee payment and standard IT support, though “necessary and essential, […] are usually considered ancillary functions rather than the core activity”.
Although Recital 91 of the GDPR provides some guidance on large scale processing operations –
[those] which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects
WP29 recommends that when determining whether our processing activities are large scale or not we should consider:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- the volume of data and / or the different data items being processed
- the duration, or permanence, of the data processing activity
- the geographical extent of the processing activity.
They give us some examples. A bank or insurance company processing customer data in the regular course of their business should be considered large scale but the processing of patient data by a single GP should not.
The WP29 interpretation of regular includes ongoing; recurring; constantly; and periodically, among others and they interpret systematic to mean:
- Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy.
For many organisations it will be obvious whether Article 37 applies or not. For those of you in the grey zone, we’re afraid there is no hard and fast rule. Establishing whether or not Article 37 applies to your organisation will require a not insignificant time investment. WP29 recommends that organisations in that situation document their analysis and decision process so that they can demonstrate that they’ve considered all relevant factors properly and because documentation is a requirement under the accountability principle (Article 5.2), but that’s another day’s blog.
Be aware that if you appoint a DPO voluntarily the function is bound by the same obligations as though it were a mandatory designation. If you decide that you don’t need a DPO at all you should at least consider making a competent person responsible for data protection in your organisation, the potential consequences of GDPR non-compliance are simply too high not to.
By: Fiona Kiely (Senior Research Analyst)
Published: July 2017
CalQRisk, in collaboration with Data Protection experts, has developed a set of risks around GDPR compliance. For details on how CalQRisk GDPR can benefit your organisation, contact us today.