19 November 2020
The data protection landscape for businesses and public authorities changed beyond recognition on 25 May 2018 when the GDPR and Data Protection Act 2018 came into force. It seems remarkable that nearly two and a half years have passed. At the time, no-one could have predicted that for the majority of UK businesses, working from home with customer and client data would become the norm.
The GDPR introduced a requirement for businesses to have a Data Protection Officer if the business was either a public authority, handled large quantities of special category (sensitive) data or carried out significant amounts of surveillance. Many businesses played safe and appointed a DPO anyway.
Since the GDPR came into force, and particularly during the lockdown period, there has been an explosion in the number of subject access requests (SARs) served on businesses. With staff working remotely from their line manager, supervision is a little more challenging than in the office environment. Consequently, the risk of data breaches has increased with home working and collating data for SAR responses has become a more complex multi-dimensional exercise. Also, there is now a huge amount of business data and personal data residing locally and in shared threads, including on instant messaging platforms like WhatsApp.
A Data Protection Officer’s role is really twofold. First, the DPO advises on compliance with data protection legislation. The DPO can take a significant amount of pressure off management by handling subject access requests, and this can include liaising with the IT and HR departments within a data controller. Second, if things go badly wrong, a good DPO provides management with an objective view as to whether a data breach should be reported to the ICO and to the data subjects who may be customers, patients or clients. The DPO can help draft the self-reporting form and the correspondence to any affected data subjects. The DPO will help manage the breach by providing the interface with the ICO’s case officers.
Accordingly, the role and especially the objectivity of the DPO is extremely important. This is why a DPO cannot be any member of the organisation’s management who is involved in making decisions relating to the organisation’s data processing activities. For this reason, a genuinely independent and impartial Data Protection Officer is highly desirable and often the only realistic option.
Recognising that businesses would need specialist support, in 2018, BTO Solicitors set up RGDP LLP (standing for Really Good Data Protection). RGDP provides outsourced data protection services to a diverse range of clients including a large number of housing associations, an airport, firms of solicitors, public bodies in the sporting and business sectors, charities and more. RGDP can offer tailored DPO packages according to the size of business, ranging from one day of consultancy per month upwards. In case of an emergency such as a data breach, RGDP can provide urgent input either remotely or on-site. During the lockdown period when site visits were not possible, work was conducted remotely, but as lockdown has eased, RGDP has resumed a mixture of remote advice and on-site visits. RGDP also frequently advises and assists on complex SAR responses.
With the data protection landscape about to change yet again when the UK leaves the EU on 31 December, and given the present uncertainty whether the EU will grant the UK an Adequacy Decision in relation to the UK’s data protection regime, to say nothing of cross border transfers and USA issues caused by the Schrems II court case, it is all the more important for UK data controllers to have impartial, experienced specialist advice on hand.
Therefore, now is the time for your organisation to consider hiring a really good outsourced data protection officer!
This piece was written by Paul Motion, a Partner in BTO Solicitors LLP. Paul is a Solicitor Advocate and one of only two Scottish solicitors in private practice accredited by the Law Society of Scotland as a specialist in Data Protection and Freedom of Information law. For more details, contact Mark Chynoweth, the General Manager of RGDP LLP at firstname.lastname@example.org / 07741 738842 (visit: www.rgdp.co.uk) or Paul Motion at email@example.com.
Paul Motion, Partner firstname.lastname@example.org / 0131 222 2932
Mark Chynoweth, General Manager RGDP LLP email@example.com / 07741 738842