GDPR: do you need a data protection officer?

Data protection officers have existed for as long as data protection has been on the statute books. Initially including almost all IT staff under the original Data Protection Act 1984 (“Making sure 1984 isn’t like 1984”, as I once said), they have increasingly become information law and information management specialists under the 1998 Act. However, the appointment of a data protection officer was a matter of choice for all organisations, and many simply saw no need to do so.

The GDPR changes all that as of next May. Article 37 of the GDPR creates a new obligation to appoint a data protection officer in one of three cases:

"(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data… and personal data relating to criminal convictions and offences" – this is what you may recognise as sensitive personal data under the 1998 Act.

The first is simple enough, and public bodies are all busily identifying appropriate staff for the role. However for the law firm, the third category in particular merits closer consideration. If your firm does criminal defence work, you will of necessity be processing a lot of personal data relating to criminal convictions and offences. If your firm does personal injury work then you are likely to be processing a lot of special category data under the heading of medical conditions. Does this mean you need to appoint a data protection officer?

The short answer is the classic legal response: it depends. There is some helpful (and authoritative) guidance on the role of the DPO which has been issued by the Article 29 Working Party, available here. Applying the guidance to the question at hand, we are told that "‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms an inextricable part of the controller’s or processor’s activity."

So if you are a criminal defence firm, or a personal injury firm, you can’t do your job without processing this sort of data and so you would seem to be ticking the "core activities" box (although arguably this would also be dependent on the extent to which these areas of practice were indeed the core activities of the firm, as opposed to a minority activity). This then leads us to the second limb of the test, “processing on a large scale”. The guidance recommends that the following factors, in particular, be considered when assessing this:

• the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
• the volume of data and/or the range of different data items being processed;
• the duration, or permanence, of the data processing activity;
• the geographical extent of the processing activity.

The guidance does helpfully tell us that processing of personal data relating to criminal convictions and offences by an individual lawyer does not constitute large-scale processing, but the question is open for everyone else.

Law firms might find it helpful to consult the guidance, and the terms of articles 37 to 39 of the GDPR, and carry out a formal assessment against the criteria listed above, at the end of which you should know whether you need a DPO or not. The Information Commissioner may disagree with your assessment down the line and order you to get one where you had decided not to bother, but the fact of having documented this assessment will go a long way to heading off regulatory action. Such action is far more likely for those who simply haven’t bothered to do anything about this than those who have made a conscientious decision that they believed it was not required.

And if you do need a DPO, this doesn’t necessarily mean recruiting someone. Alternative models are available; the important point is to have the relevant knowledge and expertise in data protection available when it is needed. Firms with expertise in this field may see a potential growth area in terms of providing a DPO service to companies (and firms) who need a DPO but not necessarily a full time one. Having the Law Society of Scotland’s specialist accreditation in data protection and FOI would seem to be an ideal qualification for this.