Voluntary appointment of a DPO
Any business may decide to appoint a DPO, even where there is no legal obligation to do so.
In this situation, the voluntarily appointed DPO will be expected to carry out their responsibilities under articles 37 to 39 as if they are a mandatory appointment.
Regardless of whether the GDPR obliges you to appoint a DPO or not, you must ensure that your organisation has sufficient resources on hand, who possess the necessary level of knowledge in data protection law to carry out the obligations required under the GDPR.
For businesses who are not required to make a mandatory appointment, remember the two key points at the top of this article outlining the advantages of investing in a DPO:
- A DPO can enhance an organisation’s reputation, not only with its customers, service users or audience but also with investors and other key stakeholders. As such, a DPO appointment demonstrates stability, a commitment to following compliance procedures, and the availability of resources to manage risks.
- Commercially astute DPOs can quickly identify the opportunities certain data processing activities present, then draft and execute a strategy of how to take advantage of such opportunities in a compliant way with appropriate risk-management in place.
Finally, if you decide that you don’t need to appoint a DPO, it is best practice to record this decision to demonstrate compliance with the accountability principle. And, remember to re-visit this conclusion on a periodic basis, or as and when your processing operations change.
Not appointing a DPO?
Data protection is a senior executive level priority for every business. Regardless of whether or not a company is required to appoint a DPO, it is still a legal obligation to comply with the GDPR.
Failure to do so could leave an organisation open to liability if a breach occurs.
Morrisons Data Breach
Although no cases have been brought under the Data Protection Act 2018 as yet, in the case of Various Claimants v WM Morrison Supermarkets Plc [2018] EWCA Civ 2339, brought under the 1998 Act, the Court of Appeal held the employer was vicariously liable for the employee's acts away from the workplace where those acts formed a sequence of planned events leading to the commission of the wrongdoing. This was the case even though the malicious action was designed to injure the employer as opposed to the data subjects.
This judgment means that where an employer is the data controller, they are highly exposed to potential claims from the victims of a data breach caused by a rogue employee.
The decision of Various Claimants v WM Morrison Supermarkets Plc is to be appealed to the Supreme Court. This is the law at the time of writing (April 2019).
When deciding not to appoint a DPO, companies are recommended to take the following actions:
Keep a detailed record of events
Where a business determines that it is not required to make a mandatory DPO appointment and chooses not to do so voluntarily, the executive management team are advised to create a detailed account of the decision-making process.
In the event that the supervisory authority (the ICO) has cause to ask why there is no DPO in place, the company will be able to outline its reasoning. Furthermore, if the business made an error and should have appointed a DPO, the ICO is more inclined to take into account the conclusions arrived at by the companies executives, and offer advice in place of a more harsh alternative.
Make regular assessments
Given that the nature of business is one of change and growth, the decision not to appoint a DPO should be reviewed regularly, especially if there is a change in data processing operations.
It is easy to imagine an organisation unwittingly falling through the gaps of GDPR compliance, simply because following an initial review (perhaps before the 25th May 2018) changes to the personal data processing practices of the company are ignored, with management taking for granted that compliance is still being achieved.
Appoint a data protection lead
The amount of resource required to oversee GDPR compliance will vary from business to business, depending on the size and complexity of its data processing operation. Just as every company must assess whether to appoint a DPO, so must it determine how the data protection programme will be administered where the services of a DPO are deemed unnecessary.
Without having to follow the strict conditions to appoint a DPO as defined under Article 38, companies have more flexibility regarding who can lead the GDPR compliance process.
It is worth noting, however, that while there is no alternative to making such an appointment, there is no requirement for this position to be internally filled.
The WP29 DPO Guidelines highlights this:
Nothing prevents an organisation, which is not legally required to designate a DPO and does not wish to designate a DPO on a voluntary basis to nevertheless employ staff or outside consultants with tasks relating to the protection of personal data.
In these situations, there must be no confusion about their position or title and the role they fulfil. Under no circumstances must they be designated the title Data Protection Officer.
For more information about the day to day aspects of GDPR compliance, we take a detailed look into what a business is required to do when not appointing a DPO in the fifth article of the series.
Making the right decision
Most positions in organisations fall into one of two camps.
They are either:
- A business cost
- A revenue generator
A DPO is one of the few roles which falls into both camps, as long as the correct appointment is made. Not only does a DPO require an in-depth knowledge of data protection laws, both throughout Europe and internationally, and a background in compliance, they also need to understand the practicalities of running a commercial entity.
When appointing a DPO, the best candidate will be one that fits your organisation – taking into account its size and market sector, plus its values and commercial ambitions. Decisions will need to be made regarding whether a full-time DPO is the best way to ensure GDPR compliance, or whether other options, such as making the role part-time or a job-share or appointing an external company is the best way forward.
Like most matters involving the GDPR, on a surface level, the appointment of a DPO seems straight-forward. But dig a little deeper, and it becomes clear that multiple factors need to be considered, and even then, the answer may not be clear. External advice can be invaluable to assist with such a decision