Under the General Data Protection Regulation, it is not mandatory for every business to appoint a data protection officer (DPO) who informs the organisation about their obligations to comply, monitors compliance and is the main point of contact for all GDPR-related matters.
A DPO is mandatory in three specific cases:
1. public authorities or bodies;
2. where the core activities of the controller or processor consist of processing
operations which require regular and systemic monitoring of data subjects on a large scale;
3. processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
While ‘regular and systematic monitoring’ and ‘large scale’ are not defined under the GDPR, the Information Commissioner’s Office (ICO), the UK regulator, said: “It will be up to organisations to assess their processing activities and, in conjunction with our guidance (See the ICO’s ‘Guide to the GDPR’ – which it refers to as ‘a living document’) and A29’s guidance (Article 29 Working Party http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf) determine if they meet the criteria requiring them to appoint a DPO.”
However, the ICO acknowledged: “We are aware of a number of questions around the appointment of DPOs and these are helping to inform the development of our guidance.”
Sue Robinson, the director of the National Franchised Dealers Association (NFDA), said: “Some larger dealers may be required to appoint a DPO because they either carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking), or because they carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
“However, just because it is not mandatory for an organisation to appoint a DPO, does not mean that they should not do so. If they feel it is appropriate, any business can appoint a DPO.”
According to the NFDA, most dealers are extending the remit of a current employee, such as compliance officers, IT professionals or even accountants and company secretaries, to handle data protection.
Robinson suggested appointing data protection representatives at dealership or regional level who could manage day-to-day data protection activities, implement company data protection policy and report back to the main DPO or data protection manager (DPM).
Neil Addley, the managing director of Trusted Dealers, said: “If you’re a large group, it’s my opinion you do need to appoint a DPO because of the volume of data flowing through multiple dealerships and from multiple sources. I would be surprised if all the larger groups have not appointed someone and probably appointed someone or an agency to map their data flows.
“Smaller groups probably don’t need or want to appoint a DPO, but they need someone with ‘stripes’ to take responsibility for data protection.”
Madeleine Ansbro, the head of compliance at Marshall Motor Group, said: “The decision on the formal appointment of a DPO has not been made yet. If a DPO is appointed (which is highly likely) then it will be at group level, with training provided at each dealership.”
She added: “Each dealership unfortunately will have to decide for itself whether it must appoint a DPO. There cannot be one stock answer as it has to be based on an individual business assessment. Whatever it decides, it must document its decision and its reasoning.”
Ardi Kolah, executive fellow and director of the GDPR transition programme at Henley Business School, founder of GO DPO and the keynote speaker at AM’s recent GDPR conference (See page 50), said: “A DPO does not have to be a new member of staff, they could be part-time or someone in-house who can be trained. The larger the
dealership, the more likely it is a DPO is needed, the smaller the business then a full-time DPO may not be sensible.”
He advised training a person in-house (Henley Business School has designed a one-day workshop for this purpose), but warns about potential conflicts of interest such as IT employees who would investigate themselves should a cyber-security breach occur.
Anyone incorporating the DPO remit into their job description could find themselves in demand – in a story headlined ‘Rise of the data protection officer’, Reuters recently referred to the DPO role as ‘the hottest tech ticket in town’.