The role of data protection officer (“DPO”) is compulsory for many organisations and is increasingly required by investors as a condition of investment in smaller businesses as well.
A DPO has many responsibilities, including preventing data protection breaches, dealing with complaints about data protection breaches and payment of fines. Being the data protection officer is far from a badge – it carries increased risks for that individual. In practical terms, the data protection officer will be first in the firing line if things go wrong.
To help you protect yourself in the role of being the person in charge of data, we look at:
- Terms of employment for data protection officers
- Who else is responsible for a data breach?
- How to handle a subject access request
Terms of employment for data protection officers
If there are no explicit terms in your employment contract, director service contract or any other agreement with the business then they are unaffected and remain separate to your appointment as DPO.
As the data protection officer for your organisation you will be held responsible by the Information Commissioner’s Office (“ICO”) for data protection failings whether or not it is included in your contract and whether or not you are culpable. Managing data theft following hacking would fall within your remit for example.
Before taking on the responsibility for data protection it is prudent to acknowledge the risk that you could be the fall guy and negotiate a long notice period. A long notice period improves your chances if you are fired of a decent settlement agreement. Another area for discussion with the employer is training and resourcing.
Reporting lines is an area that can trip employees up as the senior managers and directors will try to avoid responsibility. Having agreed an organisation reporting line you need to make sure that it is kept up to-date.
Who else is responsible for a data breach?
The data protection regulation rules are framed so that several persons can be responsible for the same breach if they were involved in the process. In practice this means that it is not just the data protection officer but senior management and directors.
A regime of self reporting applies. The data protection officer and processors will need to inform the ICO within 72 hours of becoming aware of the data breach.
The data protection officer should report to the highest management level – i.e. the board. The board of directors are not excluded from liability by the appointment of a data protection officer and have a delegated responsibility to oversee.
In particular, directors and senior management will be held liable where a data offence is committed by the company and it is shown that the directors or senior management were negligent. This is a criminal offence.
Where the business is managed by shareholders, they will be held to account as if they were directors. The message is clear – if you take on the responsibility of running the company, whatever your job title, you also take on the responsibility for its data protection and security.
How to handle a subject access request
Employees have enhanced rights to find out what personal data is held about them by their employer, why it is held and who the information is disclosed to.
With over 42% of data protection complaints lodged with the ICO relating to subject access requests, employers need to know how to handle them. We provide a short summary of the employer’s duties in response to a subject access request.
- You must respond to a request ‘without undue delay and within one month of receipt of the request’. In more complex circumstances this may be extended by up to two months – you must explain the extension to the employee.
- You may ask the employee to specify the information or processing activities to which the request relates, where you process a large quantity of information about the employee.
- You do not need to disclose employment references given in confidence. All information within the reference is protected but comments made about a reference received from a third party are not. Care should be taken over how this information is recorded and communicated.
- You do not need to disclose data processed for the purposes of management planning related to business activities, where to disclose it would prejudice the conduct of a business. This would include information such as staff redundancy programmes, which would prejudice the employees if disclosed in advance.
- You may charge the employee administrative costs for ‘manifestly excessive or unfounded’ requests. It is not enough that the effort to search thousands of emails would be disproportionate. There should be significant technical difficulties in recovering the information before a request could be considered manifestly excessive.
- You may refuse to respond to unwarranted requests. If you refuse to respond to the request you must explain why and inform the employee of their right to complain to the supervisory authority.
Failure to meet the deadline or provide employees with access to all requested data could expose the employer to fines.