Iain Garfield, Partner and Head of Commercial at BPE Solicitors, looks at the proposed changes to the role of data protection officers and what impact the government’s consultation might have on businesses.
Just when businesses were starting to get the hang of complying with the UK GDPR and the Data Protection Act 2018, the UK Government issues a new consultation on changing parts of the current legislation. Ignoring the fact that changing the law will result in the UK diverging from the rest of the European Union, thus potentially putting at risk the current ability to seamlessly transfer data from the EU into the UK, there are nevertheless a number of interesting proposals in the consultation paper.
One of the more interesting is the proposal to remove the requirement for certain businesses to appoint data protection officers.
Under articles 37 to 39 of the UK GDPR, the following types of organisations are required to appoint a data protection officer:
- All public authorities
- Any business whose ‘core activities’ consist of “processing operations which require regular and systematic monitoring of data subjects to a large scale”
- Any business whose ‘core activities’ consist of “processing special categories of data and personal data relating to criminal convictions and offences on a large scale”
Other businesses are entitled to appoint data protection officers if they wish, but it is not mandatory.
A data protection officer can be an individual employee, or it can be an outsourced service provider, but in either case the officer must have “expert knowledge of data protection law and practices”. In addition, the officer must:
- Be responsible for advising the business on its data protection obligations.
- Be involved (properly and in a timely manner) in all business issues relating to personal data.
- Be given by the business all necessary resources to carry out its responsibilities and duties (including staying up-to-date with changes in data protection law).
- Monitor the business’s compliance with data protection law (including ensuring the business provides adequate training for its staff).
- Be free to carry out its responsibilities and duties without instruction or interference from the business.
- Not be dismissed, removed or penalised in any way as a result of carrying out its responsibilities and duties.
- Report directly to the highest level of management within the business.
- Not carry out any other tasks for the business that would conflict with, or prevent it from carrying out, its responsibilities and duties as data protection officer.
- Be the business’s liaison with the Information Commissioner’s Office.
The Government recognises that some businesses may struggle to appoint an officer with the requisite skills, and who is sufficiently independent. As a result, if the proposed new laws are adopted, businesses will not have to appoint data protection officers any longer.
Instead, each business will be expected to designate one or more “responsible individual(s)”. But is this simply a data protection officer by another name?
Whilst those individuals would still be expected to oversee that business’s data protection compliance, it would be for the business to decide what skills, experience and qualifications those individuals should have. Each business would have more freedom in how it instructed those individuals to carry out their tasks but, most noticeably, the phrase “responsible individual(s)” seems to suggest that outsourcing responsibility to external consultancies would not be acceptable.
Therefore, reports of the death of data protection officers may be somewhat premature and, even if the Government’s proposals do find their way into law in the future, there is unlikely to be a significant change insofar as businesses still needing to ensure that one or more individuals are tasked with ensuring compliance with the law. Same job, different job title?
The consultation period is due to end in mid-November, and the industry looks forward to reading the Government’s response whenever it is published thereafter.
For more information on your requirements in relation to GDPR and data protection officers within your organisation, contact Iain Garfield at firstname.lastname@example.org or call 01242 248246
LinkedIn: BPE Solicitors LLP