There is a certain amount of confusion around Ireland about DPOs after GDPR came into force. In 95% of cases we tell Irish Organisations that they don’t need one. How do we come to that conclusion? It is worth stepping back for a moment and think about what GDPR says about the requirement for DPOs:
The Law
Article 37(1) of the GDPR mandates a DPO be appointed in three specific cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor
consist of processing operations, which require regular
and systematic monitoring of data subjects on a large scale; or - where the core activities of the controller or the processor
consist of processing on a large scale of special categories of
data or personal data relating to criminal convictions and
offences.
If you don’t fall under one of these three cases, then you and 95% of the organisations we deal with don’t need a DPO. It is possible to appoint a DPO anyhow and there are good reasons for so doing, but we advise caution. (A post on this specific topic will follow in time)
Large Scale
One tricky part with this definition is understanding what “Large Scale” consist of. Working Party 29 (WP29) produced guidance on this topic and this guidance will be tested in courts across the EU for many years. They used two examples in the Healthcare Industry, one a Hospital and the other a Doctor in a lone practice.
“processing of patient data in the regular course of business by a hospital” would be an examples of large-scale processing.
Where as Examples that do not constitute large-scale processing include: “processing of patient data by an individual physician”
Clearly there a huge grey area between these two extremes, how about a small hospital or a clinic? What about a group of GPs who band together?
Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations in Ireland let alone across the EU. However, in time, it is expected that a standard practice will develop for identifying in more specific and/or quantitative terms what constitutes ‘large scale’ in respect of certain types of common processing activities.
Core Activities
The other tricky point is understanding “Core Activities”. Recital 97 specifies that the core activities of a controller relate to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. ‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals.
Here is worth looking at some other examples as provided by WP29.
Sticking with the Medical Industry, the core activity of a hospital is to provide health care. However, a hospital would not be capable of providing modern healthcare without personal data, such as patients’ health records. “Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.”
On the other hand, a manufacturing organisations processes personal data, in order to pay employees or operate a work roster. These are viewed as supporting functions for the organisation’s core activity or main business. “Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”
However, ‘core activities’ should not be interpreted as excluding activities where the processing of data forms an inextricable part of the controller’s or processor’s activity. For example, the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.
Documenting a decision
Unless it is obvious that an organisation is not required to designate a DPO, the WP29 recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed, in order to be able to demonstrate that the relevant factors have been taken into account properly. This analysis is part of the documentation under the accountability principle.
Conclusion
Only a very small percentage of Irish Organisations require a DPO, either as an employee or as outsourced service. Those organisations which require a DPO are either a state agency and the public has no choice but to deal with it, or because of the scale and nature of its business. For organisations who are thinking about appointing a DPO, this article suggests some alternatives and explains more about the competencies required in a DPO. To learn more about what a DPO does, read this article.
If an organisation doesn’t need a DPO, they should consider documenting that decision.