The General Data Protection Regulation (GDPR) came into effect on 25 May 2018, extending the rights of individuals over how their data is processed and bringing consistency in the data protection laws across the EU by directly applying to organisations.
One change introduced by the GDPR is that some organisations now have to appoint a data protection officer (DPO). A DPO is required for all public authorities, and for organisations that process large amounts of sensitive data or “conduct regular and systematic monitoring of data subjects on a large scale”. Most health and social care organisations are required to appoint a DPO.
The appointment of a DPO has been a hot topic among primary care. The Pharmaceutical Services Negotiating Committee (PSNC) and the National Pharmacy Association (NPA) lobbied unsuccessfully to preclude some organisations, including smaller pharmacies. In a House of Commons debate on 9 May, Minister for Digital and the Creative Industries Margot James spoke about the sensitive nature of the data processed by all primary care organisations, including pharmacies, stating that “it does not seem unreasonable that bodies who process that kind of data should have a single point of contact on data protection matters”.
The result of the debate means that all primary care providers and community pharmacies are considered public authorities, and must therefore appoint a DPO.
What are the responsibilities of the DPO?
Because the DPO role is a new requirement in the UK and there is a general cyber security skills gap, organisations might find it difficult to recruit a qualified person.
The DPO should educate the organisation on important compliance requirements, monitor GDPR compliance, and serve as a point of contact between the organisation and its supervisory authority – in the case of the UK, the Information Commissioner’s Office (ICO). They are also required to report to the highest management level (i.e. board level), who should provide them with adequate resources to fulfil their obligations.
A comprehensive overview of the DPO’s tasks are outlined in Article 39 of the GDPR.
The guidance for health and social care organisations from the Information Governance Alliance (IGA) also outlines the DPO’s responsibilities:
- “To support programmes of work from inception to ensure that data protection is addressed by default and in the design of new systems and information processes”;
- “To be available to be contacted directly by data subjects – the contact details of the data protection officer will be published in the organisation’s privacy notice”;
- “To develop or advise senior management on the development and establishment of policies, procedures and other measures to ensure compliance with the GDPR” and to “monitor compliance with these measures”, providing reports to all levels of management;
- “To consult with the Information Commissioner’s Office (ICO) where proposed processing poses a high risk in the absence of proposed mitigations” and to cooperate with the ICO on any matters relating to data protection; and
- To “ensure that the organisation can demonstrate compliance with all aspects of the GDPR”.
The DPO role can be filled by an existing employee, provided they have expert knowledge of data protection law and that their professional duties are compatible with those of the DPO. The DPO mustn’t have any conflict of interest, and therefore the DPO role should not be filled by someone who process data or manages the processing of data as part of another role. The DPO position can also be contracted out, as discussed below.
DPO as a Service
Outsourced DPO services are cropping up more frequently and can be a cost-effective solution for organisations that do not have the necessary in-house expertise. An external DPO will already have extensive data protection and legal knowledge, and can offer a completely impartial service.
Outsourced DPO services can take many guises, ranging from advisory and support services to fulfilling the full scope of a DPO role on a subscription basis. Organisations should be aware of their needs, and the role that any third-party provider can fulfil should be clearly communicated. Managing expectations now and planning accordingly can prevent financial and reputational damage in the event of a breach or inspection.
The DPO’s required level of expertise is not defined, but it must be proportionate to the degree of sensitivity and complexity, and amount of data you are processing. For health and social care providers, this can be extensive. The DPO must have expertise in national and European data protection laws and practices, and an in-depth understanding of the GDPR. They should also understand your processing activities, information systems, and data security and data protection needs, and have a sound knowledge of your administrative rules and procedures.
As of yet, there are no accredited qualifications that allow organisations to assess DPO services; organisations must perform their own due diligence.
IT Governance is about to launch a DPO service that addresses the requirements faced by organisations that process patient data and the restricted budgets that are often a barrier for the health and social care sector. For more information or to discuss a pre-launch package, contact us at firstname.lastname@example.org.