Data protection within a business is often seen as somebody’s secondary role, usually the HR department, and a role that hasn’t been taken seriously.
Indeed, historically, many companies have seen it more as a hindrance to a company’s day-to-day running, and compliance has often been lax.
However, it’s a serious issue, and the bringing into law of GDPR brought this home to many as suddenly there was real legal clout behind the regulations – and rightly so.
As more and more people’s data gets harvested and stored by companies small and large, it becomes ever more critical that it’s handled securely and sensitively.
Spreadsheets, files and documents are easily shared within an office and indeed the rest of the company, but does anyone know exactly what’s in that data and who has access?
The ability to store vast amounts of information on extremely cheap devices such as USB memory sticks makes the problem even more significant. These devices are easily left lying around and can, therefore, be picked up and carried away.
I’m sure I’m not the only one to receive a report that an unencrypted USB containing personal information was put in a backpack which was then lost.
Data protection and the hype
Of course, a few high profile data leaks were plastered all over the news which brought the whole data protection situation into focus.
With people’s sensitive data being left on trains, or accessible via websites for all to see, people suddenly started to notice. The downside to this was that everyone had an opinion on what was and was not personal data, and what companies should be doing about it.
Companies of all sizes were being told they needed to register with the Information Commissioner’s Office (ICO) and employ a Data Protection Officer or they could end up being fined – or worse.
However, The ICO has made it clear which companies need to go to the expense of a Data Protection Officer (or “DPO”), and luckily, many small businesses don’t need to employ them.
What companies need to employ a Data Protection Officer?
Now, even though the definitions seem pretty straightforward, they are of course, open to interpretation and might need a bit of clarification.
First of all, then, let’s look at what the ICO says (also available on our DPO page):
The ICO states that you must appoint a DPO if:
- you are a public authority, or,
- your core activities consist of processing requiring regular and systematic monitoring [such as CCTV or profiling] of people on a large scale, or,
- your core activities consist of processing on a large scale of special category data or criminal offence data.
Special category data is that about people’s race, ethnicity, political opinions, health, sexual orientation etc.
Criminal offence data is that about whether someone has committed a crime right through to the outcome of any prosecution.
The problem here is the language.
What does “large scale” mean?
The ICO doesn’t give any concrete detail on this (for good reason), so it’s up to the organisation to consider its use of data and whether it would consider it to be large scale.
When deciding if a DPO is needed the type of data, the amount of data being used and what is being done with it should be considered.
For example, if you have an eBay store selling second-hand goods, it’s likely the data you collect isn’t going to require you to appoint a DPO.
When someone buys from you, you’ll need their name, email and address. You certainly don’t need their gender, ethnicity or date of birth.
And when the transaction is complete, you send the invoice, and you’re done with them.
This sort of data can’t be classed as special category, and there’s probably not much of it, either.
However, an online store such as Amazon is a different matter.
Companies like this collect a lot of data and actively use it in their marketing. They use profiling software to analyse their customers’ behaviour – hence why you get emails out of the blue when you realise you have nearly used all of that face cream that you bought from them .
This would satisfy the “profiling” aspect of the rules.
Types of data
Of course, data isn’t just digital bits and bytes.
As the regulations point out, CCTV data can also contain sensitive information, for obvious reasons.
And, of course, printed documentation is often ignored. If you have customer information, profiles on them and financial data printed out, this also needs to be controlled, and you’ll probably need a DPO.
Public Authority
We’ve left the easiest one ’till last because you should know whether you’re a public authority or not! If you don’t know the Data Protection Act will tell you.
However, if you carry out tasks in the public interest, and are paid by the taxpayer, you’re probably a public authority.
In Summary
- If you’re a public authority, you need a DPO
- If you handle large amounts of special category or criminal offence data , then you may need one
- If you are involved in large scale monitoring of people you may need one.
- If you’re an online store merely fulfilling orders, you probably don’t need one.
If you’re at all in doubt about whether you should hire a DPO, you should, of course, seek advice, and you can contact us or call us on: 07397 943394.