Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. December 2017
  6. GDPR: do you need a data protection officer?

GDPR: do you need a data protection officer?

The new rules on data protection officers and some important tasks which all law firms should consider
11th December 2017 | Kenneth Meechan

Data protection officers have existed for as long as data protection has been on the statute books. Initially including almost all IT staff under the original Data Protection Act 1984 (“Making sure 1984 isn’t like 1984”, as I once said), they have increasingly become information law and information management specialists under the 1998 Act. However, the appointment of a data protection officer was a matter of choice for all organisations, and many simply saw no need to do so.

The GDPR changes all that as of next May. Article 37 of the GDPR creates a new obligation to appoint a data protection officer in one of three cases:

"(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data… and personal data relating to criminal convictions and offences" – this is what you may recognise as sensitive personal data under the 1998 Act.

The first is simple enough, and public bodies are all busily identifying appropriate staff for the role. However for the law firm, the third category in particular merits closer consideration. If your firm does criminal defence work, you will of necessity be processing a lot of personal data relating to criminal convictions and offences. If your firm does personal injury work then you are likely to be processing a lot of special category data under the heading of medical conditions. Does this mean you need to appoint a data protection officer?

The short answer is the classic legal response: it depends. There is some helpful (and authoritative) guidance on the role of the DPO which has been issued by the Article 29 Working Party, available here. Applying the guidance to the question at hand, we are told that "‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms an inextricable part of the controller’s or processor’s activity."

So if you are a criminal defence firm, or a personal injury firm, you can’t do your job without processing this sort of data and so you would seem to be ticking the "core activities" box (although arguably this would also be dependent on the extent to which these areas of practice were indeed the core activities of the firm, as opposed to a minority activity). This then leads us to the second limb of the test, “processing on a large scale”. The guidance recommends that the following factors, in particular, be considered when assessing this:

  • the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
  • the volume of data and/or the range of different data items being processed;
  • the duration, or permanence, of the data processing activity;
  • the geographical extent of the processing activity.

The guidance does helpfully tell us that processing of personal data relating to criminal convictions and offences by an individual lawyer does not constitute large-scale processing, but the question is open for everyone else.

Law firms might find it helpful to consult the guidance, and the terms of articles 37 to 39 of the GDPR, and carry out a formal assessment against the criteria listed above, at the end of which you should know whether you need a DPO or not. The Information Commissioner may disagree with your assessment down the line and order you to get one where you had decided not to bother, but the fact of having documented this assessment will go a long way to heading off regulatory action. Such action is far more likely for those who simply haven’t bothered to do anything about this than those who have made a conscientious decision that they believed it was not required.

And if you do need a DPO, this doesn’t necessarily mean recruiting someone. Alternative models are available; the important point is to have the relevant knowledge and expertise in data protection available when it is needed. Firms with expertise in this field may see a potential growth area in terms of providing a DPO service to companies (and firms) who need a DPO but not necessarily a full time one. Having the Law Society of Scotland’s specialist accreditation in data protection and FOI would seem to be an ideal qualification for this.

 

The Author

Dr Kenneth Meechan is a solicitor with the City of Glasgow Council, a member of the Law Society of Scotland’s Privacy Law Committee, and chair of the accreditation panel for data protection and freedom of information (for which he would welcome applications for accreditation).
Share this article
Add To Favorites
https://lawware.co.uk/

In this issue

  • GDPR: do you need a data protection officer?
  • Prospectus to buy into
  • From Milngavie to the Middle East
  • Devolution after the Brexit hurly burly
  • Reading for pleasure
  • Opinion: Janys M Scott
  • Book reviews
  • Profile
  • President's column
  • Forward from a landmark year
  • People on the move
  • Equality: is it practised?
  • Alcohol pricing: a measured response?
  • Private tenancies: rebalancing or just upheaval?
  • Spending means savings: legal aid study
  • Too late, too late?
  • RebLaw Scotland – join the rebellion
  • Sentences: having the last word
  • Insolvency and jurisdiction update: stating the obvious?
  • When threats are OK
  • Enter yet another tenancy
  • Rights of the funded
  • Registration rejections – more than formalities
  • Heritage holder
  • Public policy highlights
  • Society's first MOOC opens legal learning to all
  • Where there's a will...
  • Resolution for the new year
  • Q & A corner
  • A year to accredit
  • Dilapidations: the pitfalls
  • Scaling the depths
  • Equality: a matter of choice?

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited