20/09/2023 - By year-end 2024, Gartner predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations. Privacy regulation is on the rise globally and existing legislation is changing rapidly. In a data driven world increased protection of individual rights at a global level is welcomed. However, as new privacy laws emerge there is a risk that the global legal landscapes become fragmented. In the context of the General Data Protection Regulation (‘GDPR’) one of the benefits of having a harmonized legal framework was the option to appoint a single Data Protection Officer (‘DPO’) who could act on behalf of the entire group. New DPO requirements - or in the case of the UK: the possible removal of the DPO requirement - calls into question the ability for international organisations to appoint one DPO on behalf of the group. Since Brexit this question has become particularly relevant for organizations operating in both the EU and the UK who now need to comply with both the GDPR, UK General Data Protection Regulation (UK GDPR) and in the not-so-distant future the UK Data Protection and Digital information (No 2) Bill (‘UK Bill’).
Are you curious about the implications global legal developments may have on your ability to appoint a group DPO? In this blog I will examine if DPOs appointed under the GDPR can act as DPOs under the UK GDPR, what implications the proposed UK Bill may have on the role of the DPO and what other global developments come into play.
Can a DPO appointed under the GDPR act as DPO under the UK GDPR?
The requirements for appointing a DPO are set out in articles 37-39 of the UK GDPR. These requirements are a copy of the requirements that are set out in articles 37-39 of the EU GDPR. The UK Data Protection Authority, the Information Commissioner Office (‘ICO’), summarizes these requirements as follows (see here):
- The UK GDPR introduces a duty for you to appoint a DPO if you are a public authority or body, or if you carry out certain types of processing activities.
- DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the ICO.
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
- In some cases, several organisations can appoint a single DPO between them.
- DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
The UK GDPR and ICO do not specifically comment on the possibility for UK businesses to appoint a DPO located in the EU. What is instead relevant and important is if the DPO requirements set out in article 37-39 of the UK GDPR are satisfied.
The UK GDPR says that you should appoint a DPO based on their professional qualities, and in particular, experience and expert knowledge of data protection law. It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing that is carried out, taking into consideration the level of protection the personal data requires (see here).
Therefore, providing the appointed DPO has knowledge on the UK GDPR, then this requirement would be satisfied. At this moment in time any DPO who has expertise in the GDPR will also have expertise in the UK GDPR as the latter is a copy of the former. Furthermore, a DPO with expertise in the GDPR would also be well positioned to monitor, understand and advise on changes to the UK GDPR should the UK decide to depart from its current position in the proposed Bill (see sub-heading below).
The ICO also confirms on their website that organisations in the UK may appoint a single DPO to act for a group of companies (see here). If a DPO covers several organizations, they must still be able to perform their tasks effectively, considering the structure and size of those organizations and must be easily accessible, so their contact details should be readily available to the ICO, employees, and other people whose personal data you process. Again, there is no reason why a DPO based in the EU but accessible to the UK business cannot fulfil this requirement. What may be a relevant factor in this situation is if the DPO located in a different country can communicate effectively by speaking the spoken language of the organization they are advising. If for example a DPO located in the EU can work professionally in English this would not be an issue. This is no different than the current requirement under the GDPR that permits a DPO located in one EU member state to provide services to an organization located in a different member state.
In conclusion, a DPO with expertise on the GDPR that is accessible to businesses in the UK is well positioned and legally permitted to continue providing DPO services on behalf of the group.
Does the UK Data Protection and Digital Information Bill mark the end of the DPO function in the UK?
Anyone monitoring the UK governments proposed data protection Bill will know that one of the biggest changes concerns the decision to abolish the legal requirement to appoint a DPO and to establish instead a new obligation to appoint a Senior Responsible Individual (‘SRI‘).
What is the difference?
The crucial difference between roles is that the DPO must be an independent advisor with access to senior management while the SRI must be an official member of senior management. The SRI will be expected to take responsibility for compliance with the data protection rules and play an active role in assessing risks and taking decisions based on those risks. These are responsibilities more comparable to that of a Chief Privacy Officer that the DPO cannot fulfil without creating a conflict of interest. Therefore, it will not be appropriate for a Group DPO to take on the new responsibilities of the SRI.
Will the two roles coexist?
Despite the specific obligation to appoint a DPO being removed, organizations will still need to ensure compliance with all other privacy obligations (e.g., Privacy Principles, High Risk ROPA, Data Processing Agreements, Third Country Transfers etc.). Therefore, the SRI will likely need the support of privacy professionals to monitor compliance, develop and implement measures, organize and deliver trainings and manage complaint and data breaches. In practice, it is expected that organizations will appoint an existing senior manager (e.g., Chief Privacy Officer) as the SRI who in turn could seek support from the DPO and Privacy Officers (see earlier blog on the different roles). Just as Chief Financial Officers (‘CFOs’) require the support of the internal auditor, group DPOs will be an enormous asset for the SRI to monitor and report on compliance.
In conclusion, despite the formal obligation to appoint a DPO possibly being abolished, DPOs are likely to continue playing a vital role in the UKs future privacy landscape. In practice, a DPO with expertise on the GDPR that is accessible to businesses in the UK will be well positioned to continue providing DPO services on behalf of the group.
Other global developments?
On the 27th of November 2021 the Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (‘PDPL’) was published by the United Arab Emirates (‘UAE’) Cabinet Office. The PDPL introduces a requirement to appoint a DPO who has sufficient skills and knowledge in data protection to oversee compliance (Articles 10 and 11 of the PDPL).
The PDPL constructively confirms that the DPO can be an employee of the company or an external party who may be based inside or outside the UAE (Article 10(2) of the PDPL) As such, organisations who have DPOs appointed under the GDPR could use the same individual to fulfil a similar role in relation to the UAE, if that individual has knowledge and support on UAE requirements.
Like the current UK GDPR, a DPO with expertise on the GDPR that is accessible to businesses in the UAE is well positioned to continue providing DPO services on behalf of the group from the EU.
Should I appoint a global DPO?
As the world introduces more data protection laws the situation that emerges is reminiscent of the pre-GDPR days in Europe when each EU member state implemented their own similar but different variations of the Data Protection Directive. The solution at that time was to identify the strictest standard and design a Privacy Governance Framework (PGF) meeting that standard to ensure the PGF not only responded to all legal requirements but also enabled a harmonised approach that would allow privacy programs to be truly operationalised.
Looking at the wave of new privacy laws and regulations incoming there is perhaps a lesson in history which tells us global organisations wrestling with new privacy legal frameworks should once again identify the highest global standard and design their PGF in accordance with that baseline. This standard today is still arguably the GDPR with a DPO appointed under the GDPR being a strong and convincing candidate to act as a global group DPO.