UK: Charities, Data Protection Officers, GDPR: Where Are We Now?

Last Updated: 8 August 2019
Article by Kenneth Mullen, Chris Priestley, Hugh More, Kate Taylor and Alison Paines

Most Read Contributor in UK, July 2019

On 18 June Withers held a round-table discussion to review one of the key provisions of the GDPR legislation introduced a year ago: the role of the Data Protection Officer (‘DPO’). The event was well-attended by representatives from a range of large and smaller charities – including a few DPOs.

The event began with an introduction by Chris Priestley, Head of the Withers Charities and Philanthropy Team, who noted that over the past year many charity clients have been requesting advice on the role of DPOs. We know that many of our charity clients are still finding their way in thinking about the role of a DPO, whether they need to employ one and who that may be.

The panel consisted of Kenneth Mullen, Withers’ data protection specialist who has been advising many charities in advance of the introduction of GDPR and deals with ongoing queries on information protection generally; Alison Paines, a partner in the Charities team, who shared her experience advising charities on governance and accountability; and Hugh More, special counsel in the Withers employment team, to advise on the employment law issues in relation to employing a DPO.

Q. What is a DPO and why has having one now become such a big issue for organisations?

A. The GDPR aimed to make organisations accountable for data protection and imposed a requirement on those organisations to demonstrate compliance. The DPO is a cornerstone of this accountability and compliance concept. Although it is the first time that the law obliges certain organisations in the UK, including charities, to appoint a DPO, we have already seen DPOs in place in a number of EU countries for a number of years, such as Germany.

Q. Do all charities need to appoint a DPO? How can smaller charities meet the legal requirements if they are required to appoint a DPO?

A. Not all charities will need to appoint a DPO. There are three situations where an organisation will need to appoint a DPO:
1. The organisation is a public authority or public body (with the exception of parish councils and the courts)
2. The organisation’s core activity requires regular and systematic monitoring of data subjects on a large scale
3. The organisation’s core activity consists of processing special categories of data, such as health data, biometric data or criminal history on a large scale

In respect of scenarios 2 and 3, the concepts of the processing being a “core activity” and on a “large scale” are important qualifications. When considering whether the processing of special category data is a “core activity” or not the organisation should look at whether its main activities are inextricably linked to the processing of such data. An example provided by the EU regulatory authorities under scenario 3 is a large hospital having to process patient health records which is clearly part of its core activities. Charities who, as part of their key activities, provide welfare services to individuals who have health issues (and collect health data) would similarly therefore need to consider if they qualify.

There is no clear guidance on what constitutes “large scale” processing and there are examples of the definition giving rise to different interpretations across Europe. Regulatory guidance from the EU suggests that, in determining what is “large scale”, an organisation must have regard to the volume of data being processed, the number of data subjects involved, the permanence of the processing activity and the geographic scope of personal data being collected.

The size of the charity is not relevant in itself. Smaller charities that are required to appoint a DPO could consider appointing an external DPO or sharing a DPO with other, similar organisations.

Q. If a charity has decided it should appoint a DPO, who should the DPO be? Can it be an existing employee?

A. Yes, the DPO can be appointed internally or externally. If appointing an existing employee who already has another role, thought must go in to whether they have capacity to act as DPO. In particular, the GDPR requires that the DPO acts on an independent basis and that their role as DPO does not conflict with other possible tasks and duties.

EU guidance suggests that some roles such as Head of HR or Marketing may, by their nature, give rise to a conflict.

Q. Who should the DPO report to? How does that interplay with a charity’s governance?

A. The GDPR says the DPO should directly report to the highest management level in the organisation, but the Regulation does not provide any detail as to what the highest level of management actually is. This can be a particular challenge for charities that don’t operate along conventional corporate lines, but from looking at draft versions of the GDPR which use the wording “executive management” in place of “highest level of management”, which was brought in at the final version, we can assume therefore that “highest level of management” is above “executive management”. Therefore the DPO must be given the right to report directly to the board, or, if appropriate, a committee of the board. I would recommend keeping a standing item on the agenda of board meetings for DPOs to report to the board.

Q. What are the other considerations for a DPO’s function in a charity?

A. Among the DPO’s functions regarding monitoring compliance with the GDPR and other data protection policies, a DPO must co-operate with the supervisory authorities. In the context of a charity, this not only includes the Information Commissioner’s Office but also the Charity Commission. So, a DPO must understand when and what might need to be reported to the Charity Commission, including what constitutes a ‘serious incident’ so far as the Commission is concerned and how to report it. The Commission has recently changed its reporting process and now charities must complete an online form which is much more prescriptive in the information required.

The importance of data protection in the charity sector is clear from the recent data breach reported by transgender support charity Mermaids UK where part of the charity’s email database was found to be available on the internet, including some special category data of beneficiaries.

Data breaches can also be very costly. Employees of the supermarket Morrisons have been permitted to bring a class action against their employer for a data breach caused by the criminal act of a rogue employee.

Q. What are your recommendations for charities that are not required to have a DPO?

A. Data is still fundamentally important to many charities and appointing someone responsible for data protection is a useful discipline for monitoring compliance with data protection law. It is also important to keep in mind that when a charity does not need to appoint a DPO but does wish to appoint someone responsible for data protection, if that person is then formally named as being a ‘DPO’ then the organisation will be deemed to be voluntarily submitting to the GDPR’s DPO regime and becomes subject to the range of legal obligations regarding how that DPO is treated.

Q. Turning to employment implications, how should charities define the obligations of the role of the DPO?

A. DPOs should be appointed on the basis of professional qualities and expert knowledge of data protection law. The required level of experience should be commensurate with the sensitivity, complexity and amount of data that the organisation processes. Organisations should think carefully about defining a DPO’s specific responsibilities comprehensively in an employment contract or statement of duties. These will include:

  • Informing and advising the charity and its managers and employees of their obligations under the GDPR and other applicable data protection legislation.
  • Monitoring compliance with the GDPR and other applicable data protection legislation and with the charity’s data protection policies;
  • Providing advice, where requested, as regards data protection impact assessments (DPIAs) and monitoring performance.
  • Co-operating with the Information Commissioner’s Office (ICO) and acting as contact point for the ICO on issues relating to processing.

Q. How can a charity monitor conflicts of interests?

A. Conflicts of interests should be part of the initial scoping of the work and the dynamics of the organisation should be taken into account. Generally, individuals such as the CEO, COO, head of marketing and head of IT would not be appointed as DPO, as they are likely to be conflicted. Working Party guidance also suggests implementing safeguards and ensuring the job specification of the position of DPO is sufficiently precise and detailed to avoid conflicts of interest.

Q. Issues involving a DPO can range from the individual being over-zealous with finding issues that do not actually exist to being too demanding over resources. How should a charity address these and other issues that may arise with a DPO?

A. What is important is to be clear from the start how appraisals will work and what the ongoing assessments will be. The guidance is not prescriptive in relation to dismissal and other detriment for performance in the DPO role but DPOs are protected to the extent that penalties against them are prohibited if they are imposed as a result of the DPO carrying out his or her duties as a DPO. The difficult question is where the line is between conduct connected to the DPO role and conduct outside of it.

Another issue that can come up is if a charity has employed a DPO thinking that this would be a major role but, after a few months, it becomes clear that the role is not as demanding as originally thought. This may give rise to a redundancy situation or the role may be modified from a full-time position to a lesser requirement.

Charities also need to be careful that they employ someone who will actually be able to properly do the job of the DPO, with the expertise, knowledge of the organisation and independence to provide advice in line with GDPR requirements.

An outsourced provider can be a good choice if there are concerns about there not being enough work for a full-time internal DPO or in committing funding to a full time DPO employee.

We are aware of a few service providers who are offering an ‘out of the box’ nominated DPO service for a few hundred pounds a year. This type of offering should be treated with caution since it seems unlikely to meet GDPR requirements. A charity who is obligated to appoint a DPO must not simply see this as ‘ticking a box’ to meet the requirement.

When appointing an external DPO, as well as considering whether they have the necessary knowledge, skills and qualifications to perform the job, it is important to consider liability and check that the provider is covered by appropriate insurance.

Q. How will GDPR be impacted by Brexit?

A. No one knows exactly. It is almost certain that a UK Data Protection Act will still apply that reflects EU law and the ICO has been firm that a GDPR style regime will continue to be in effect. To do business with the EU UK businesses will probably need to match EU regulations, which means there will be little incentive to radically change the UK law.

Q. Do the rules regarding conflicts of interests apply to individuals with data protection responsibility, such as a ‘data protection champion’, if one is appointed where a charity is not required to have a DPO?

A. No, if they are not a regulated DPO but the charity will still need to consider the further implications of having a conflicted DP Champion as this could still be detrimental to them being able to perform their role, even though it is not regulated by GDPR.

Another consideration is the relationship between DPO and internal auditor. The two must be complementary and able to work together, while maintaining the specific expertise and independence of the DPO.

Q. If a charity is collecting data from outside the EU, how can the charity ensure that its partners outside the EU comply with GDPR, which they themselves are not subject to?

A. If those partners are expecting a proper service from the EU based charity then they will need to respect the GDPR obligations that are incumbent on EU organisations, even if data derives from outside Europe. It is worth remembering too that many non-EU countries are putting in place similar legislation regarding data protection.

Q. Resources can be an issue for charities – what can they do? Can charities use a group of people instead to cover all the skills of a DPO?

A. Yes, in some cases it can help to embed compliance if many people within the organisation have data protection roles/skills and training will be important here.

Q. How should a charity deal with a DPO who is an employee but is also supposed to be independent?

A. This can be a difficult concept for both the charity and the DPO but does not necessarily mean that a charity concerned about independence should appoint an external DPO. Appointing someone internally has advantages too since they have the “insider” expert knowledge if the charity’s operations that – as GDPR makes clear – are also important for fulfilling the role of DPO. Importantly, if there is any potential conflict between the organisations’ views and that of the DPO, the DPOs should document their opinion and ensure they are not being seen to be unduly swayed by organisational concerns.

Q. How often should charities review their data protection compliance?

A. This will vary greatly by organisation and the particular personal data they are processing. Some may do this annually, some less frequently. It is clear that staff should be regularly trained on data protection compliance.

Much depends on the risk to data subjects presented by the processing, if there is high-staff turnover or if an organisation frequently changes its operations. An IT review or governance review could be used as a reminder to also conduct a review of data protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions