DPOs and the GDPR: Part 1 - When is a DPO needed?
06 January 2017
On 16 December 2016, the Article 29 Working Party (WP29) released highly anticipated guidelines on some of the most critical matters in the implementation of the General Data Protection Regulation (GDPR). These guidelines are not legally binding, but local data protection authorities are likely to follow them. The WP29 does invite comment on the guidelines before the end of January 2017 so it is possible we will see some refinements.
One set of guidelines deals with interpretation of provisions of the GDPR relating to data protection officers (DPOs), a pillar of the new accountability-based compliance framework introduced by the GDPR. The guidelines recommend the appointment of a DPO in circumstances beyond those explicitly required by the text of the GDPR. It also seeks to clarify relevant provisions of the GDPR, in an effort to resolve some of the uncertainty.
The GDPR requirement
Article 37 of the GDPR stipulates that a data controller and/or processor must appoint a DPO if:
- the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
Understanding what is meant by some of these terms – “core activities”, “regular and systematic monitoring, “large scale” – is crucial to determining whether an organisation is required to appoint a DPO. So, do the WP29’s draft guidelines help us?
- When is the data processing a core activity?
The first criterion to be looked at is whether the data processing is a “core activity”. Recital 97 of the GDPR specifies that core activities are a company’s primary (as opposed to ancillary) activities. The guidelines are clear that core activities are the key operations necessary to achieve the controller/processor’s goals. This term should, however, be interpreted as including activities where the processing of data forms an inextricable part of the controller’s or processor’s activity.
The WP29 illustrates this through the example of a hospital. The core activity of a hospital is to provide healthcare, but to do so it must process patients’ health records. Therefore, processing of this data should be considered among a hospital’s core activities. Hospitals should therefore designate DPOs. Another example given is of a private security company carrying out surveillance of private and public spaces – this is a core activity and inextricably linked to the processing of personal data.
On the contrary, when the processing of personal data relates solely to support functions for the organisation’s core activity or main business, then such processing is not part of the core activities of such an organisation. According to the WP29, activities such as paying the employees or standard IT support activities would fall into this category.
Many organisations will ask whether systems monitoring, such as monitoring email or internet traffic, for cybersecurity or compliance purposes, will be considered a core activity or a support function. It would seem unlikely that monitoring for IT security purposes would be considered a core activity. But in the case of monitoring for compliance purposes, such as recording telephone lines, it is less clear that this would be considered to be a support function. It is clear there will be many cases where the line between core activities and support functions is blurred.
- When is processing done on a large scale?
Only companies processing personal data on a “large scale” will be caught by the relevant DPO provisions. The WP29 does not provide a precise methodology for how to determine when data are processed on a large scale, although they have indicated they plan to provide further examples in due course. For now, they have set out a number of factors for consideration:
- the number of data subjects concerned;
- the volume or range of data processed;
- the duration or permanence of the processing; and
- the geographical scope of the processing.
The examples put forward by the WP29 suggest that not all these elements have to be present. Although the guidelines also provide examples of activities not regarded as being conducted on a large scale (such as processing of patient data by an individual physician), there is still a very broad category of cases between what is clearly “large scale” and what are small scale operations, where uncertainty remains. This will be alleviated over time as standard practices start to emerge and further examples are provided by the WP29 and in guidance from national data protection authorities.
- Other conditions
Not all core and large-scale activities will automatically trigger the requirement to appoint a DPO. The obligation only arises if the activities consist of either “regular and systematic monitoring” of data subjects, or processing of “special categories of data” and personal data relating to criminal convictions and offences.
While the definitions of special categories of data and personal data relating to criminal convictions and offences are clear, the interpretation of the term “regular and systematic monitoring” is more complex.
Recital 24 of the GDPR suggests that monitoring (for the purposes of the territorial reach of the GDPR) includes situations where natural persons are tracked on the internet through data profiling, particularly “to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”. The WP29 clarifies that monitoring in this context of DPOs is not limited to profiling on the internet, or even just to the online environment, but it can also include any “offline” processing techniques profiling a natural person for the same purpose (e.g. monitoring through CCTV, wearable devices, or smart meters).
The WP29 interprets “regular” monitoring as on-going or occurring at regular intervals, recurring or repeated at fixed times, or that which takes place constantly or periodically. It considers that monitoring is “systematic” if it occurs according to a system, is pre-arranged, organised or methodical, takes place as part of a general plan for data collection, or is carried out as part of a strategy.
What if there is no need for a DPO?
Even where there is no express requirement to appoint a DPO, the WP29 encourages organisations to consider making the appointment on a voluntary basis. Unless it is obvious that no DPO must be appointed, the WP29 recommends that companies document the internal analysis they have undertaken to determine whether a DPO is required to be appointed to demonstrate that all relevant factors have been taken into account.
If an organisation decides to make a voluntary appointment, further thought should be given to whether this role is designated as such, triggering the application of corresponding provisions of the GDPR.
Look out for our next blog, in which we will examine who should be appointed as DPO and how they should perform their duties.