Do you need a data protection officer?

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

As the May 2018 deadline for enforcement of the General Data Protection Regulation (GDPR) approaches, researchers need to think carefully about the actions required to ensure they are on the right compliance track. The GDPR contains some familiar data protection principles, but also introduces concepts that are relatively novel in the UK. 

One of these is the compulsory appointment of a data protection officer (DPO) in specific circumstances. In Germany, DPOs are a core feature of the data protection framework, advising on compliance and acting as a contact for the data protection authority and data subjects. With the enforcement of the GDPR, this position will become more familiar across the EU.

Here are some points to consider in deciding whether, how and when you may need to appoint a DPO. 

Who needs a DPO?

The GDPR obligation applies to all organisations handling personal data (both data controllers and data processors) and the essential test is whether your core business activities involve: 

• Regular and systematic monitoring of individuals on a large scale 
• Processing of sensitive personal data (racial or ethnic origin; political opinions; religious beliefs; membership of a trade union; physical or mental health or condition; sexual life; sexual orientation; biometric data used to identify; genetic health data) or data on criminal convictions and offences on a large scale
• Data-processing activity carried out by a public authority.

Guidance from the grouping of EU data protection authorities (the Article 29 Working Party) has made clearer the types of businesses that are likely to be affected. Companies processing personal data on a large scale for behavioural advertising, online tracking, fraud prevention, detection of money laundering, administering loyalty programmes, running CCTV systems or monitoring smart meters will be caught by the DPO requirement. 

Similarly, in a research context, panel providers, opinion pollsters or audience measurement researchers will almost certainly need to appoint in light of the type and scale of their data collection activities. On the other hand, freelance independent qualitative researchers are unlikely to need to, as the volume of data and number of subjects whose data they process is likely to be relatively small.

If you are uncertain, it may still be useful to designate a DPO as this will assist you in fulfilling the GDPR requirement that firms be accountable, and demonstrate compliance with the key data protection principles. But be careful what you call the role. If a DPO is appointed – even on a voluntary basis – all the statutory protections will apply.

What is the role of the DPO? 

The DPO plays a key compliance role within the organisation and as an accessible contact for individuals and the data protection authority. As part of the role they will be required to: 

• Inform their organisation and its employees of their obligations under the GDPR and other relevant data protection laws
• Monitor compliance with data protection laws and the firm’s data protection policies
• Offer advice on data protection impact assessments, where requested, and monitor performance 
• Cooperate with the supervisory authority
• Act as a point of contact for the supervisory authority.

What skills are required?

The appropriate level of expert knowledge relates to the data-processing operations carried out and the level of protection required for the personal data being processed. For example, if the activity is complex, or involves a large amount of sensitive information, the DPO may need a higher level of expertise and support. 

Essential skills and expertise to look for include:

• National and European data protection laws and practices, including an in-depth understanding of the GDPR 
• Understanding of the processing operations carried out 
• Understanding of information technologies and data security 
• Knowledge of the business sector and the organisation
• The ability to promote a data protection culture within the organisation.

Who should I appoint?

Businesses that appoint a DPO must have the necessary resources to fulfil the job and grant the DPO significant independence with a direct reporting line to the highest management level. This is underpinned by statutory protection for their job security that expressly prevents dismissal or other sanctions on grounds that relate to their performance of the DPO tasks.

You can appoint internally or outsource the position. If you choose an internal DPO, they cannot be responsible for tasks that conflict with independence; avoid people in senior managerial or information technology roles.

Now is the time to act 

Transparent and efficient handling of personal data via a DPO can help your organisation gain a competitive advantage, particularly in terms of public perception and reputation. So:

• Determine whether having a DPO is necessary or desirable
• Decide between outsourcing the role or appointing an employee
• Consider any conflicts of interest before appointing a current employee to a shared DPO role 
• Ensure sufficient autonomy and resources
• Once appointed, publish contact details and advise the Information Commissioner’s Office.

Failure to appoint a DPO, where required, can lead to fines of up to €10,000,000 or 2% of a firm’s worldwide turnover, depending on which amount is higher. Qualified people may increasingly be in short supply, so review your activities and make an early decision. 

Dr Michelle Goddard is director of policy and standards at MRS