But are they Paid Enough?
The European Union General Data Protection Regulation (GDPR) is being subsumed into British domestic legislation, and is now the basis for a new Data Protection Act, replacing the old 1998 Act, itself based on a 1995 EU Directive. For this reason, until the new Act receives Royal Assent, this piece continues to refer to the GDPR. The pending legislation is, overall, causing much generalised debate regarding its implications and where Data Protection practice in the UK is destined.
There has been substantial specific debate and concern about who should be appointed as the Data Protection Officer (DPO) under the GDPR within healthcare organizations. In this section we will attempt to inject some order into the confusion. This has concentrated on the GDPR itself, along with guidance from the Article 29 Working Group (WP29), the UK Information Commissioner’s Office’s (ICO), and significant discussion between the authors, both interpersonally and online with Information Governance (IG) and Data Protection professionals.
The perspective here is mostly applicable to Acute trusts within the National Health Service (NHS), although its message is likely to be applicable more broadly across the UK healthcare sector.
Is a DPO Required?
GDPR Article 37 states that a DPO is needed in any case where:
- The processing is carried out by a public authority or body, except for courts; or
- The core activities of the Data Controller or the Data Processor consist of processing operations which, by virtue of their nature, their scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the Data Controller or the Data Processor consist of processing large volumes of Special Categories of Data or information about criminal convictions and offences.
Whereas it is common understanding that the NHS is a public body, the term “public authority or body” is, rather unhelpfully, not defined in the GDPR. For sake of clarity, however, it is apparent by extrapolation from the definition in Schedule 1 of the Freedom of Information Act 2000, that the NHS is indeed included.
Who Should Be the DPO?
It is perfectly acceptable for public bodies to appoint a single DPO to be shared between authorities. It may be beneficial that the DPO is shared between healthcare organizations working in close partnership with each other, or perhaps across several organizations within a localized partnership.
GDPR Article 38 is clear about the position of the DPO, in that the Data Controller and Data Processor shall:
- Ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
- Support the DPO in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge.
- Ensure that the DPO does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the Data Controller or the Data Processor for performing his tasks. The DPO shall report to the highest management level. 
DPO Tasks & Duties
The DPO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks. The Data Controller or Data Processor shall ensure that any such tasks and duties do not result in a conflict of interests.
With regard to the last point, WP29 clarifies that:
As a rule of thumb, conflicting positions within the organization [A1] may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues. 
DPOs do not have to be lawyers, but need expert knowledge of Data Protection law and practices. From a practical perspective, they must also have an excellent understanding of the organization’s governance structure and be familiar with its IT infrastructure and technology.
The DPO role may be employed (“internal DPO”), or there may be circumstances where they may act under a service contract (“external DPO”). In both cases, they must be given the necessary resources to fulfill the relevant job functions and be granted a certain level of independence, to be able to act in the necessary “independent manner.”
The DPO does not have to be a standalone role, and may have other tasks within the organization, so long as they do not interfere with the DPO role. WP29 has made it clear that the DPO “cannot hold a position within the organization that leads him or her to determine the purposes and the means of the processing of personal data.”
Many healthcare organizations already have staff in place who oversees most issues relating to Data Protection. These roles generally have titles such as Head of IG, IG Lead, IG Manager or Privacy Officer. It is anticipated that it is these roles that will be most appropriate to undertaking the DPO role within healthcare organizations with mature IG models.
What are the Qualifications to be a DPO?
GDPR Article 37 does not absolutely define the credentials for a DPO beyond “expert knowledge of data protection law and practices.” The GDPR’s Recitals add that this should be “determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”
Realistically, this is a member of staff with detailed expert knowledge and experience of applying IG and Data Protection principles within a healthcare environment.
The WP29 guidance clarifies this further:
Although Article 37(5) does not specify the professional qualities that should be considered when designating the DPO, it is a relevant element that DPOs should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. It is also helpful if the supervisory authorities promote adequate and regular training for DPOs.
DPO Qualifications & Experience
Knowledge of the business sector and of the organization of the controller is useful. The DPO should also have sufficient understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller. In the case of a public authority or body, the DPO should also have a sound knowledge of the administrative rules and procedures of the organization.
What are the Tasks of the DPO?
The DPO’s tasks are very clearly delineated in the GDPR Article 39, to:
- Inform and advise the Data Controller or Data Processor and the employees who carry out processing of their Data Protection obligations
- Monitor Data Protection compliance
- Assign responsibilities, awareness-raising, and training of staff involved in processing operations
- Undertake internal audits of Data Protection
- Provide advice on the need and completion of Data Protection Impact Assessments
- Cooperate with the ICO and act as the contact point for any issues relating to processing
- Undertake or advise on the potential risk of processing activities.
What are the Organization’s Responsibilities?
The most essential requirement is that the DPO must be allowed to perform their tasks in an independent manner. They need to report to the highest management level in the organization and cannot be dismissed or penalized for doing their job (i.e. giving advice). This will require a robust governance reporting structure for the DPO to function and evidence that advice has been accepted or rejected.
GDPR Article 38 requires the organization to support its DPO by ‘providing resources necessary to carry out [their] tasks and access to personal data and processing operations, and to maintain his or her expert knowledge’[A2]. The WP29 Guidance adds that, depending on the nature of the processing operations and the activities and size of the organization, the following resources should be provided to the DPO:
- Active support of the DPO’s function by senior management (such as at board level).
- Sufficient time for DPOs to fulfil their duties.
- Adequate support
- Official communication of the designation of the DPO to all staff
- Necessary access to other services
- Continuous training
Given the size and structure of the organization, it may be necessary to set up a DPO team (a DPO and his/her staff). Similarly, when the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the tasks of a DPO as a team, under the responsibility of a designated lead contact for the client. 
Failure to appoint a DPO where required can lead to significant ramifications. Administrative fines can be as high as the equivalent of €10m (almost £9m at time of writing) or 2% of the organization’s turnover, whichever is higher. The appointment of a DPO is not only a legal requirement, it must also be seen as an efficient way to ensure Data Protection compliance, something that is especially true when it comes to sophisticated Data Processing activities and cross-border data flows.