HewardMills talks with Active Navigation and Faegre Drinker on the PrivSec panel

Last month, our CEO Dyann Heward-Mills participated on a PrivSec panel with Active Navigation and Faegre Drinker to discuss Data Mapping, DPOs, Consumer Protection and how to create a winning approach for global privacy compliance.

In the webinar recording [CLICK HERE TO WATCH], Dyann discussed the importance of accountability and the legitimate processing of data.

She touched upon the emergence of new technologies during COVID-19 and issues around trust and transparency. Also, in light of the Black Lives Matter movement, she highlighted the importance of organisations rethinking how new technologies such as facial recognition and profiling of individuals can inadvertently be used to discriminate against certain individuals.

Following the webinar, we received a number of relevant questions on DPO. To create clarity around what still seems to be a grey area, we highlighted some of the questions and here are our answers:

Is there a legal obligation under GDPR to have a Data Protection Officer?

Under the GDPR there is a legal obligation to appoint a DPO in certain circumstances. These are set out in Article 37(1) of the GDPR. There is a legal obligation to appoint a DPO where an organisation (whether it is a controller or processor is irrelevant); (a) is a public authority or body (b) carries out regular and systematic monitoring of data subjects on a large scale as a core activity and (c) as part of its core activities, carries out large scale processing of special categories of data or data relating to criminal convictions and offenses. Failing to appoint a DPO where there is an obligation to appoint one can lead to a fine or other enforcement action from the regulator. Even where the requirement to appoint a DPO is not mandatory, it may be good practice to appoint a DPO in certain circumstances to demonstrate that the organisation takes data protection compliance seriously.

In the current climate of COVID-19, organisations have had to reassess their data protection and compliance strategies and the DPO continues to find it extremely difficult to exert their required influence and independence. What would be your advice, especially in scenarios where the Data Protection Officer is expected to report to the CEO, CISO or CPO?

Perseverance is key. The DPO plays a crucial role in data protection compliance for organisations. Considering COVID-19 where manpower may be scarce within functions because of cost cutting exercises and staff being furloughed, the DPO’s role should be even more critical during this period to ensure data protection compliance is being followed. Periodic reports and open lines of communications to senior management is as vital as ever. Accountability is now embedded with the Principles of the GDPR. This means C-suites are accountable for data protection compliance and any failings within their organisations. Considering COVID-19, many DPOs have to coordinate and work with stakeholders remotely to ensure data protection compliance is adhered to in a remote setting. Similarly, data protection and compliance strategies should not change, given the consequences of non-compliance remain the same.

Is it mandatory to register a Data Protection Officer with the ICO (Information Commissioner’s Office)?

Before the GDPR it was not necessary to register a DPO with the UK data protection regulator. Post GDPR, organisations should register their DPO. The DPO’s contact details are included on the ICO’s register, which is accessible to the public. When registering the DPO, the ICO requests that organisations state clearly in the DPO notification email, whether the DPO’s individual name should be published as an option.

I am hearing that in the UK Data Protection Officers and other such specialists are being made redundant as they are seen as a cost? What is your view and what could this mean?

As a result of the current climate, organisations will have to consider cost cutting implications across the board. It is unfortunate to hear that DPOs are being made redundant. In certain circumstances the appointment of a DPO is mandatory pursuant to Article 37 of the GDPR. It is important that organisations assess if they are mandated to appoint a DPO and document their decision-making on this point. Choosing not to comply with legal requirements can leave an organisation exposed to data protection risks. Companies have an obligation to monitor compliance carefully and ensure decision-making is documented and escalated to the top. A DPO can be instrumental in overseeing activities in this regard. Considering breaches can expose an organisation to fines of up to 20 million euros, investing in a robust DPO or DPO service is worthwhile. Organisations with effective DPOs are less likely to suffer reputational damage or loss of revenue and more likely to build trust with various stakeholders.

What are the Data Protection Officer’s requirements for UK companies after Brexit?

The DPO requirements will not change as a result of Brexit and their roles and duties will remain the same. The tasks and position of the DPO are also enacted in the UK Data Protection Act 2018 (Section 70 and 71 respectively) and so the function of the DPO will remain the same. Companies may need to appoint a UK DPO where the criteria are triggered.

I find in the UK that organisations seem to be requiring Data Protection Officers to have a minimum qualification such as CIPP/E, CIPM etc. A lot of DPOs do not have any qualifications other than experience. Which is best?

For a DPO to fulfil his or her task, they should be designated based on professional qualities such as expert knowledge of data protection laws and practices. Professional accreditation can enhance a DPO’s knowledge. Although there are no set pre-requisites that mandate a DPO to obtain a professional qualification, obtaining professional qualifications can help DPOs to successfully perform their duties within the organisation. The more expertise one has the more the DPO can pre-empt issues and continue to build a robust data protection framework for the organisation. However, there is no substitute for experience when dealing with strategic as well as the operational aspects of data protection compliance. Where a data processing activity is complex or where a firm is considered “high risk” for processing activities a DPO’s qualifications and experience will serve the DPO’s ability to carry out his or her tasks effectively.

To be clear, should a DPO always be independent of a firm’s privacy office?

The DPO will typically works with an organisation’s Privacy Office. There is no hard and fast rule about where the DPO is placed in relation to a firm’s Privacy Office, however it is critical that the DPO is independent. This means the DPO must be able to perform their task in a firm manner, with a sufficient degree of autonomy and an ability to reach conclusions about data protection matters without hindrance or sway from stakeholders in the firm. In fulfilling their role as a DPO, the individual must not be instructed on how to deal with a matter or swayed into a particular outcome. The DPO should be independent from the processing activities of the firm and, in this case, the individual should not determine the purpose and means of processing. Otherwise, the DPO risks running into conflicts of interest.