The GDPR provides that certain organisations must appoint a data protection officer (DPO). Every organisation should have a data protection lead, whether or not they require a DPO.
The organisations which require a DPO are:
- All public authorities or public bodies, defined as those caught by freedom of information legislation – this includes all doctor and dental practices, colleges and universities but not currently housing associations, although this may change
- Those whose core activities consist of processing ‘special categories’ of data (comparable to sensitive data, such as health data, trade union membership, political affiliation, biometric and genetic data etc) or data relating to criminal convictions or offences on a large scale – law firms and private health care organisations may fall into this category as well as certain housing association that provide care services
- If the core activities of the organisation require regular and systematic monitoring of data subjects on a large scale – this includes organisations operating a telecommunications network; profiling and scoring for purposes of risk assessment (eg for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money laundering); location tracking, for example, by mobile apps; loyalty programmes; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices, eg smart meters, smart cars, home automation, etc
‘Core activity’ – one that is inextricably part of the function of the organisation and not a support activity, including activities where the processing of data forms an inextricable part of the controller’s or processor’s activity.
‘Large scale’ – number/proportion/volume and/or different types of personal data, including the geographical extent of the processing activity.
Sole practitioners are not required to appoint a data protection officer.
The second category may apply to some law firms. For instance, a criminal defence firm, or a personal injury firm, cannot provide legal services without processing special category data and so would appear to fall into the ‘core activities’ category. However, that may depend on the extent to which these areas of practice are the core activities of your firm.
It is difficult to determine what will be considered ‘large-scale’ processing. The guidance from the EU states that organisations should consider the following:
- The number of data subjects concerned, either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
The guidance provides examples of large-scale processing:
- Patient data in the regular course of business by a hospital
- Travel data of individuals using a city’s public transport system (eg tracking via travel cards)
- Real-time, geo-location data of customers of an international, fast-food chain for statistical purposes by a processor specialised in providing these services
- Customer data in the regular course of business by an insurance company or a bank
- Personal data for behavioural advertising by a search engine
- Data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
- Patient data by an individual physician
- Personal data relating to criminal convictions and offences by an individual solicitor
Whatever you decide for your firm, if you decide not to appoint a DPO, document your reasoning.
A DPO does not have to be an internal appointment – it can be an outsourced or shared service. Crucially, the DPO’s role is to monitor and advise on compliance and not to make decisions about the processing of data as that would conflict with the role. Therefore, it can be very difficult to identify someone who can be independent of processing decisions to fill this role.
Data protection lead
Even if you do not appoint a DPO, you should nominate someone to take the lead in relation to this area and to be the point of contact for staff, clients and others. The restrictions in relation to who this person can be do not apply if they are not fulfilling the statutory role envisaged by the GDPR.
For more information about the role of the DPO, go to www.ico.org.uk.