On 18 June Withers held a round-table discussion to review one of the key provisions of the General Data Protection Regulation ('GDPR') legislation introduced a year ago: the role of the Data Protection Officer (‘DPO’). The event was well-attended by representatives from a range of large and smaller charities – including a few DPOs.
The event began with an introduction by Chris Priestley, Head of the Withers Charities and Philanthropy Team, who noted that over the past year many charity clients have been requesting advice on the role of DPOs. We know that many of our charity clients are still finding their way in thinking about the role of a DPO, whether they need to employ one and who that may be.
The panel consisted of Kenneth Mullen, Withers' data protection specialist who has been advising many charities in advance of the introduction of GDPR and deals with ongoing queries on information protection generally; Alison Paines, a partner in the Charities team, who shared her experience advising charities on governance and accountability; and Hugh More, partner in the Withers employment team, to advise on the employment law issues in relation to employing a DPO.
Q. What is a DPO and why has having one now become such a big issue for organisations?
A. The GDPR aimed to make organisations accountable for data protection and imposed a requirement on those organisations to demonstrate compliance. The DPO is a cornerstone of this accountability and compliance concept. Although it is the first time that the law obliges certain organisations in the UK, including charities, to appoint a DPO, we have already seen DPOs in place in a number of EU countries for a number of years, such as Germany.
Q. Do all charities need to appoint a DPO? How can smaller charities meet the legal requirements if they are required to appoint a DPO?
A. Not all charities will need to appoint a DPO. There are three situations where an organisation will need to appoint a DPO:
- The organisation is a public authority or public body (with the exception of parish councils and the courts)
- The organisation's core activity requires regular and systematic monitoring of data subjects on a large scale
- The organisation's core activity consists of processing special categories of data, such as health data, biometric data or criminal history on a large scale
In respect of scenarios 2 and 3, the concepts of the processing being a "core activity" and on a "large scale" are important qualifications. When considering whether the processing of special category data is a "core activity" or not the organisation should look at whether its main activities are inextricably linked to the processing of such data. An example provided by the EU regulatory authorities under scenario 3 is a large hospital having to process patient health records which is clearly part of its core activities. Charities who, as part of their key activities, provide welfare services to individuals who have health issues (and collect health data) would similarly therefore need to consider if they qualify.
There is no clear guidance on what constitutes "large scale" processing and there are examples of the definition giving rise to different interpretations across Europe. Regulatory guidance from the EU suggests that, in determining what is "large scale", an organisation must have regard to the volume of data being processed, the number of data subjects involved, the permanence of the processing activity and the geographic scope of personal data being collected.
The size of the charity is not relevant in itself. Smaller charities that are required to appoint a DPO could consider appointing an external DPO or sharing a DPO with other, similar organisations.
Q. If a charity has decided it should appoint a DPO, who should the DPO be? Can it be an existing employee?
A. Yes, the DPO can be appointed internally or externally. If appointing an existing employee who already has another role, thought must go in to whether they have capacity to act as DPO. In particular, the GDPR requires that the DPO acts on an independent basis and that their role as DPO does not conflict with other possible tasks and duties.
EU guidance suggests that some roles such as Head of HR or Marketing may, by their nature, give rise to a conflict.
Q. Who should the DPO report to? How does that interplay with a charity's governance?
A. The GDPR says the DPO should directly report to the highest management level in the organisation, but the Regulation does not provide any detail as to what the highest level of management actually is. This can be a particular challenge for charities that don't operate along conventional corporate lines, but from looking at draft versions of the GDPR which use the wording "executive management" in place of "highest level of management", which was brought in at the final version, we can assume therefore that "highest level of management" is above "executive management". Therefore the DPO must be given the right to report directly to the board, or, if appropriate, a committee of the board. We would recommend keeping a standing item on the agenda of board meetings for DPOs to report to the board.
Q. What are the other considerations for a DPO's function in a charity?
A. Among the DPO's functions regarding monitoring compliance with the GDPR and other data protection policies, a DPO must co-operate with the supervisory authorities. In the context of a charity, this not only includes the Information Commissioner's Office but also the Charity Commission. So, a DPO must understand when and what might need to be reported to the Charity Commission, including what constitutes a 'serious incident' so far as the Commission is concerned and how to report it. The Commission has recently changed its reporting process and now charities must complete an online form which is much more prescriptive in the information required.
The importance of data protection in the charity sector is clear from the recent data breach reported by transgender support charity Mermaids UK where part of the charity's email database was found to be available on the internet, including some special category data of beneficiaries.
Data breaches can also be very costly. Employees of the supermarket Morrisons have been permitted to bring a class action against their employer for a data breach caused by the criminal act of a rogue employee.
Q. What are your recommendations for charities that are not required to have a DPO?
A. Data is still fundamentally important to many charities and appointing someone responsible for data protection is a useful discipline for monitoring compliance with data protection law. It is also important to keep in mind that when a charity does not need to appoint a DPO but does wish to appoint someone responsible for data protection, if that person is then formally named as being a 'DPO' then the organisation will be deemed to be voluntarily submitting to the GDPR's DPO regime and becomes subject to the range of legal obligations regarding how that DPO is treated.
Q. Turning to employment implications, how should charities define the obligations of the role of the DPO?
A. DPOs should be appointed on the basis of professional qualities and expert knowledge of data protection law. The required level of experience should be commensurate with the sensitivity, complexity and amount of data that the organisation processes. Organisations should think carefully about defining a DPO's specific responsibilities comprehensively in an employment contract or statement of duties. These will include:
- Informing and advising the charity and its managers and employees of their obligations under the GDPR and other applicable data protection legislation.
- Monitoring compliance with the GDPR and other applicable data protection legislation and with the charity's data protection policies.
- Providing advice, where requested, as regards data protection impact assessments and monitoring performance.
- Co-operating with the Information Commissioner's Office (ICO) and acting as contact point for the ICO on issues relating to processing.
Q. How can a charity monitor conflicts of interests?
A. Conflicts of interests should be part of the initial scoping of the work and the dynamics of the organisation should be taken into account. Generally, individuals such as the CEO, COO, head of marketing and head of IT would not be appointed as DPO, as they are likely to be conflicted. Working Party guidance also suggests implementing safeguards and ensuring the job specification of the position of DPO is sufficiently precise and detailed to avoid conflicts of interest.
Q. Issues involving a DPO can range from the individual being over-zealous with finding issues that do not actually exist to being too demanding over resources. How should a charity address these and other issues that may arise with a DPO?
A. What is important is to be clear from the start how appraisals will work and what the ongoing assessments will be. The guidance is not prescriptive in relation to dismissal and other detriment for performance in the DPO role but DPOs are protected to the extent that penalties against them are prohibited if they are imposed as a result of the DPO carrying out his or her duties as a DPO. The difficult question is where the line is between conduct connected to the DPO role and conduct outside of it.
Another issue that can come up is if a charity has employed a DPO thinking that this would be a major role but, after a few months, it becomes clear that the role is not as demanding as originally thought. This may give rise to a redundancy situation or the role may be modified from a full-time position to a lesser requirement.
Charities also need to be careful that they employ someone who will actually be able to properly do the job of the DPO, with the expertise, knowledge of the organisation and independence to provide advice in line with GDPR requirements.
An outsourced provider can be a good choice if there are concerns about there not being enough work for a full-time internal DPO or in committing funding to a full time DPO employee.
We are aware of a few service providers who are offering an 'out of the box' nominated DPO service for a few hundred pounds a year. This type of offering should be treated with caution since it seems unlikely to meet GDPR requirements. A charity who is obligated to appoint a DPO must not simply see this as 'ticking a box' to meet the requirement.
When appointing an external DPO, as well as considering whether they have the necessary knowledge, skills and qualifications to perform the job, it is important to consider liability and check that the provider is covered by appropriate insurance.
Q. How will GDPR be impacted by Brexit?
A. No one knows exactly. It is almost certain that a UK Data Protection Act will still apply that reflects EU law and the ICO has been firm that a GDPR style regime will continue to be in effect. To do business with the EU UK businesses will probably need to match EU regulations, which means there will be little incentive to radically change the UK law.
Q. Do the rules regarding conflicts of interests apply to individuals with data protection responsibility, such as a 'data protection champion', if one is appointed where a charity is not required to have a DPO?
A. No, if they are not a regulated DPO but the charity will still need to consider the further implications of having a conflicted DP Champion as this could still be detrimental to them being able to perform their role, even though it is not regulated by GDPR.
Another consideration is the relationship between DPO and internal auditor. The two must be complementary and able to work together, while maintaining the specific expertise and independence of the DPO.
Q. If a charity is collecting data from outside the EU, how can the charity ensure that its partners outside the EU comply with GDPR, which they themselves are not subject to?
A. If those partners are expecting a proper service from the EU based charity then they will need to respect the GDPR obligations that are incumbent on EU organisations, even if data derives from outside Europe. It is worth remembering too that many non-EU countries are putting in place similar legislation regarding data protection.
Q. Resources can be an issue for charities – what can they do? Can charities use a group of people instead to cover all the skills of a DPO?
A. Yes, in some cases it can help to embed compliance if many people within the organisation have data protection roles/skills and training will be important here.
Q. How should a charity deal with a DPO who is an employee but is also supposed to be independent?
A. This can be a difficult concept for both the charity and the DPO but does not necessarily mean that a charity concerned about independence should appoint an external DPO. Appointing someone internally has advantages too since they have the "insider" expert knowledge of the charity's operations that – as GDPR makes clear - are also important for fulfilling the role of DPO. Importantly, if there is any potential conflict between the organisations' views and that of the DPO, the DPOs should document their opinion and ensure they are not being seen to be unduly swayed by organisational concerns.
Q. How often should charities review their data protection compliance?
A. This will vary greatly by organisation and the particular personal data they are processing. Some may do this annually, some less frequently. It is clear that staff should be regularly trained on data protection compliance.
Much depends on the risk to data subjects presented by the processing, if there is high-staff turnover or if an organisation frequently changes its operations. An IT review or governance review could be used as a reminder to also conduct a review of data protection.
If you have any questions about DPOs or complying with GDPR please not hesitate to get in touch with Chris Priestley, Kenneth Mullen, Hugh More or Alison Paines.