As we count down to the General Data Protection Regulation (GDPR), which takes effect on 25 May, many accountancy practices still have unanswered questions. One of the more pressing is “In order to become compliant, will my accountancy practice have to appoint a Data Protection Officer (DPO)?”
That’s an important question, whether it’s one you’re asking for your own accountancy practice, or one you’re hearing from your clients. A DPO has important powers and responsibilities so, before you rush off to appoint one, take a moment to read this article.
It’s important to understand that there are no blanket exemptions for ‘small’ organisations. Whether or not a DPO is required is based solely on the kind of organisation and the kind of data processing activity it undertakes.
Under Article 37 of the GDPR, there are three circumstances in which a DPO is required:
Public authorities and bodies
A DPO is needed where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity).
The GDPR does not define exactly what constitutes a ‘public authority or body’ but definitions are included in the UK’s Data Protection Bill, currently making its way through Parliament, where they’re defined as:
- A public authority or a Scottish public authority, as defined by the Freedom of Information Act.
- An authority or a body specified by the Secretary of State in regulations.
These definitions are likely to include councils, schools and the emergency services. They may also cover private companies that carry out public services, like transport, housing, energy and water.
Regular and systematic processing of data subjects on a large scale
A DPO is also required where the core activities require regular and systematic processing of data subjects on a large scale.
‘Core activities’ in this context means that the processing is ‘an inextricable part of the controller’s or processor’s activity’ rather than an ancillary function, like running a payroll.
Guidance published by the Article 29 Working Party recommends that when organisations are assessing ‘large scale’ they need to consider: the number of data subjects; the volume of data; the duration of the processing and the geographical extent of the processing.
Examples of operations covered by this would include insurance companies processing customer data and search engines processing personal data for behavioural advertising.
Large scale processing of special categories of data
‘Special categories of personal data’ includes data which would reveal information such as ethnic origin, political opinions, religious beliefs, sexual orientation, genetic and health data. Among others, it would apply to trade unions, healthcare providers and polling companies.
The processing of personal data relating to criminal convictions and offences also requires the appointment of a DPO.
Even if you’re not obliged to appoint a DPO, your accountancy practice can still appoint one if you want. It’s important to realise that if an organisation appoints a DPO voluntarily, they will have to comply with the full range of DPO requirements under GDPR, so it’s not a step to undertake lightly.
Duties of a DPO
Article 39 of the GDPR sets out the duties of a Data Protection Officer. In brief, they are:
- To advise the organisation and its employees of their obligations under GDPR
- To monitor compliance with the regulations and with the organisation’s policies, including raising awareness and training staff
- To advise on the necessity of Data Protection Impact Assessments and to monitor their implementation and outcomes
- To act as the contact point with the relevant supervisory authorities
- To act as the contact point for data subjects on privacy matters
- To have due regard for the risks associated with data processing operations
Qualifications of a DPO
GDPR doesn’t define the precise qualifications of a DPO, but there is a certain minimum requirement regarding expertise and skills.
A DPO must understand how to build, implement and manage data protection programmes. The more complex – or high risk – the data processing, the greater the expertise required.
DPOs don’t have to be lawyers, but they should have expertise in national and European data protection law including, of course, an in-depth understanding of GDPR itself. They must also understand the organisation’s own technical and organisational structure.
The independence of a DPO
GDPR requires that the DPO operates independently, and without instruction from, their employer. Organisations can’t tell their DPO how to interpret data protection law and a DPO can’t be dismissed or penalised for performing their DPO-related work.
DPOs are allowed to perform other work within the organisation, but there must be no conflict of interests between that work and their DPO responsibilities; a Chief Exec or Head of Marketing, for example, is unlikely to be able to fulfil the role.
DPOs must report directly to the ‘highest management level’ in their organisation.
This article isn’t a substitute for professional advice, but hopefully it provides a useful starting point for discussions within your practice or your clients’ businesses on whether you must, or choose to, appoint a DPO. This is a complex topic but if you or any of your clients need some help preparing for GDPR, help is at hand.
We’ve partnered with a leading online solutions provider to support accountancy practices and their clients in their work to achieve initial compliance and their ongoing GDPR governance.
CCH GDPR Compliance is a cloud-based software that brings together everything you need for GDPR in one place. Simple checklists and workflows generated by the software steer you through each aspect of compliance. The system helps you log, report and manage data breaches and it allows you to update all your privacy notices from a single location.