When do you need to appoint a Data Protection Officer?
With the GDPR (General Data Protection Regulation) to be enforced from 25 May 2018, organisations are in a haste to satisfy all the rules mentioned in the regulation. However, doubts regarding some of the guidelines persist.
In this blog, we aim to address one of these main concerns, ‘when do you need to appoint a Data Protection Officer’?
What entails to personal data in GDPR?
GDPR is all set to be enforced in a few days and organisations are busy with tasks to ensure GDPR compliance. Personal data forms the foundation of GDPR, given the main aim of its implementation resting with the need for data protection and privacy. Although it’s not possible to find a definitive classification for personal data, it is possible to identify the data based on the definitions of GDPR.
Personal data refers to information relating to an identifiable or identified natural person, termed as data subject in GDPR regulations. An identifiable person is one who can be identified by a reference such as a name, location data, and identification number or by referring to physical, mental, economic, physiological, social or cultural identity, or through an online reference. Even information such as IP address, political affiliation or hair colour can be considered as personal data, based on the context in which it is used.
The scope of personal data
Ascertaining the scope of personal data, as in specifying what is considered as the ‘risk-prone’ data, is a difficult process. For example, collecting the occupation of users for the purpose of a survey cannot be considered harmful. However, when this is combined with more information, such as location, the name of the company or name of the person, it can be identity revealing.
While it is difficult to classify personal data, here is a broad list of things that could come under its classification.
- Information on the current living situation or biographical information
This constitutes details such as address, email addresses, phone numbers, social security number, date of births and so on.
- Description of looks, appearance or behaviour
Information such as eye colour, hair colour, height, weight, skin tone or character traits.
- Information about education or workplace data
Details of education such as student number, place or subject of study, tax details, salary or workplace name and addresses.
- Private, subjective data
Details such as political opinions, religion or geo-tracking of data.
- Information regarding health and genetics
Data regarding medical history, sick leaves or genetics
Who is a Data Protection Officer?
A Data Protection Officer in an organisation acts as an independent advocate for the enforcement of customers’ data security. The officer keeps track of the various laws and regulations of data protection while conducting internal privacy assessments. This helps them to ascertain if all the data protection policies followed by the organisation are up to date.
A DPO’s scope of work includes the following
- Setting up of defendable personal data retention periods
- Authorizing specific workflows to ensure proper data access
- Outlining the procedure for keeping retained data anonymous
- Constant monitoring of the systems to ensure data security of the customers
- Inform and advise employees and the organisation management regarding their obligations of data protection.
- Serve as the point of contact between the organisation and data protection authorities
- Serve as the point of contact for users on privacy matters
Which organisations are required to appoint a Data Protection Officer under GDPR?
This question has been doing the rounds ever since the decision to adopt GDPR was made by the European Union. Article 37 of GDPR rightly addresses this query.
According to Article 37, a Data Protection Officer needs to be appointed if,
- The organisation is a public authority, other than courts.
- The core activities of the organisation are centered on regular, systematic and large-scale monitoring of individuals within the EU region, like tracking of online behaviour.
- The core activities of the organisation involve large-scale processing of special or sensitive data such as data of criminal activities, offences or convictions.
The definition of public authority is clearly provided in the Freedom of Information Act 2000 (FOIA). This applies to GDPR as well until any act or amendment points to otherwise.
The core activities of an organisation imply to the primary business activities conducted in the organisation. Hence, if the processing of personal data is a prerequisite to achieving the primary objective of the business, then it is considered as the core activity and the organisation needs to appoint a DPO for GDPR compliance. On the other hand, using personal data for activities such as HR and payroll processing are all considered secondary activity.
Regular and systematic monitoring
Regular and systematic monitoring refers to all forms of profiling and tracking, through offline and online methods. The extent of monitoring is identified by taking into account the count of data subjects concerned, the personal data volume that is processed, the range of data items processed, the duration of the activity and its geographical extent.
Appointing the DPO
The DPO need not necessarily be a new employee. It is possible to select an existing employee if they are compatible with the scope of work. It is also possible to externally contract a DPO based on a well-prepared service contract. The contact details of the DPO needs to be published and submitted to the ICO.
What are consumer rights?
How to handle personal data in GDPR compliance?
The first task of ensuring that you maintain GDPR compliance is to identify if the collected data can be classified as personal data. If you are not sure regarding its nature, it is better to classify it as personal data rather than taking a risk.
Once collected personal data should be encrypted and pseudonymised. The process of pseudonymisation involves replacing the identifiers with artificial identifiers. This process is an important part of GDPR and is mentioned about 15 times in its document. Although it helps in ensuring data protection and privacy, data pseudonymisation has its limitations. Hence, GDPR suggests encryption alongside this process.
Encryption is similar to pseudonymisation in that it replaces the identifiers with a false set. But then again, when in pseudonymisation the dataset is visible to everyone, encryption allows access to only authenticated users. Both these processes can be used separately or simultaneously. Simultaneous use of these would ensure better data security.
With only a few days to go till the deadline for GDPR compliance, it’s high time, these specifications are met with, to avoid the brunt of a GDPR penalty!