When is a DPO, not a DPO? by Ralph O’Brien
So we all know that where organisations are covered by the GDPR and UK Data Protection Act 2018 they may require a Data Protection Officer in some cases, but this is hardly new.
Organisations in the UK have had privacy staff since the original act in 1984, and organisations depending on their size and investment in privacy may have anything from a part time role, to entire divisions of staff devoted to delivering privacy for the individuals they serve.
Paraphrased, the organisation has to legally appoint a Data Protection Officer when;
1. The organisation is a public body, but not a court
2. Core processing activities require regular or systematic monitoring on a large scale
3. Core processing activities involve large scale special category data or criminal offence data
(1) and the second half of (3) is pretty clear cut. Public authorities and law enforcement, or those receiving criminal record/offence data require a DPO.
(2) and the first half of (3) is much more subjective, as the words “large scale” requiring interpretation which has been provided by the EDPB
(https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612048) - this will include considerations on the number of individuals, volume of data, duration and geographical extent, and require the organisation to document their decision making as to whether they require a DPO.
Examples of large-scale processing include:
1) processing of patient data in the regular course of business by a hospital
2) processing of travel data of individuals using a city’s public transport system (e.g. tracking via
3) processing of real time geo-location data of customers of an international fast food chain for
statistical purposes by a processor specialised in providing these services
4) processing of customer data in the regular course of business by an insurance company or a bank
5) processing of personal data for behavioural advertising by a search engine
6) processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
7) processing of patient data by an individual physician
8) processing of personal data relating to criminal convictions and offences by an individual lawyer
So organisations who need to appoint a DPO legally is pretty clear.
However even if you are legally obliged to appoint a DPO, or even if you have appointed a third party company to act as an external DPO - you will still probably want privacy expertise on staff or available to you. Even if you fail to meet the requirements above, you are likely still subject to the rest of the provisions of the law, and therefore will require some expertise in order to assist you to manage the risks to the organisation and to the individuals. Again this may be full or part time, internal or external, as the organisation deems appropriate.
A quick look across privacy related job boards uncovers multiple titles and roles…
- Privacy Officers,
- Privacy Managers,
- Privacy engineers,
- Privacy Assistant,
- Data Protection Guru,
- Privacy Lawyers/Counsel,
- Privacy Consultants,
- Privacy Programme Manager,
- Chief Privacy Officer,
- Data Protection Auditor,
- Data Privacy Analyst…
...the list goes on and on - and it is clear a number of organisations have determined that there can and should be multiple roles related to privacy and information management - without necessarily having a legally mandated Data Protection Officer role.
Indeed, due the restrictive nature of the Data Protection Tasks signed under the law, care must be taken not to have a conflict of interest for the DPO, which is a largely monitoring and compliance role, advocating for the individual - this indicates that most of the delivery of privacy should not be undertaken by the person who should be its reviewer. So equally organisations who do have to legally appoint a DPO, will probably have to establish roles and responsibilities related to privacy in addition to this role.
Who and what the organisation appoints will largely be up to them, but clearly privacy management will involve sponsorship from senior levels, planning, programme implementation across the business, monitoring, assessment and improvement. This is often misunderstood by senior management, who quite often believe that a DPO is responsible for Data Privacy - when in fact this is their role to ensure that the business has dealt with information risk effectively. My advice has always been “appointing a DPO is not your responsibilities discharged, it is instead just one of the starting steps you may have to take to manage your obligations to the individuals you serve”
The allocation of budget and resources for privacy will be largely dictated by organisational need, for example, if your organisation begins to receive a large number of Subject access Requests, staff may be required to handle their administration alone, without dealing with any other Privacy tasks - equally, if your organisation has never received one, this is likely to be absorbed into the role of existing admin staff in conjunction with the Privacy team or Legal Counsel.
I’ll be running courses on the DPO role with the excellent Leadership Through Data, utilising their approach to training that is more graphical and practical than death by powerpoint - but I don’t feel the content is purely just for those legally required to have this role within their organisations.
Anyone who deals with privacy management and information governance can benefit from an understanding of the DPOs role in comparison to other privacy team roles within an organisation, and what they can and can’t do.