GDPR; do I need a DPO?
On 25th May 2018 all ‘public authorities and bodies’ will need to appoint a Data Protection Officer (DPO) in order to meet the requirements of GDPR. This means that any dental practice with an NHS contract must have a DPO in place.
A number of professional bodies have been lobbying Parliament in an attempt to have dental practices excluded from this requirement, due to the huge burden it places on small practices. However, any amendments inserted into the UK Bill will only take effect once the Act receives Royal Ascent; current thinking is this will be around September 2018. Until then, the ICO is recommending that a DPO is appointed until further notice.
Unfortunately, NHS dental practices must appoint a DPO by 25th May 2018 or risk being in breach of GDPR.
What does the GDPR say about when to appoint a DPO?
All ‘public authorities or bodies’ must appoint a DPO. A DPO must also be appointed if one of the following applies:
- The core activities of the business involve regular, systematic and large-scale monitoring of data; or
- The business carries out large scale processing of special category data.
Unhelpfully, large scale is not defined in the recitals or regulations. However, the Working Party 29 Guidance refers to a hospital as large scale but an individual physician as not. Until more comprehensive guidance is published, it is fair to assume that if you are single dental practice, or small chain of 2 or 3 practices you are unlikely to be processing data on a large scale.
Who can be a DPO?
A DPO can be appointed internally or externally. Whether you appoint a DPO internally or externally, they must be independent; there must be no conflicts of interest.
This requirement means it might be difficult for a small practice to appoint a DPO internally. The Working Party 29 Guidance states:
The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data…As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments).
This means the principal and any self-employed associate cannot be a DPO, as they determine the purposes and the means of processing the data. Ther fact that an associate creates data (by taking information about a patient’s oral health) and then determines what should be done with that data (what treatment to undertake) means they determine the purpose and means of processing. We have clarified the positon directly with the ICO, who have confirmed that anyone who determines the purpose and means of processing cannot be a DPO; their advice is that someone who decides what patient information is required for treatment purposes is a data controller.
The BDA guidance currently states that a practice manager can be a DPO. However, as per the above from the Working Party 29, a practice manager cannot be a DPO as essentially they are ‘head of HR’, even though this is within a small business.
This leaves either a dental nurse or other employed DCP or your reception staff. This is fine, as long as that person has the appropriate knowledge and understanding of data protection laws to properly fulfil this role. You can appoint one DPO for a group of companies. If you do, the DPO must be easily accessible to all companies involved. Similarly, the DPO must also accessible to everyone in your organisation and to any data subject you hold information on.
You can appoint a DPO voluntarily. However, if you do they will be subject to all the requirements of a DPO as per GDPR. You cannot pick and choose which requirements they will abide by. As such our advice is not to appoint one unless you have to.
Any DPO that you appoint must have professional qualities and expert knowledge for the role, the level of which will depend on what the processing activities are. Given dental practices deal with personal data, special category data and criminal convictions, the knowledge required is likely to be higher than most other organisations.
What are the DPO’s duties?
The minimum duties required of a DPO are:
- Inform and advise on the practice’s obligations under GDPR;
- Monitor compliance, which would be separate to the practice’s own monitoring;
- Conduct internal audits;
- Advise on the Data Protection Impact Assessment, although remember it is not their duty to complete it;
- Co-operate with ICO on any queries or if a breach occurs;
- Be the point of contact for;
- Senior management
- Data subjects.
If you do appoint a DPO internally, you must ensure that the DPO has the time and resources to perform the role and access to senior management.
JFH Law’s External DPO Services
If you are looking to appoint an external DPO then JFH Law can provide this service for you. The first step would be for us to complete a compliance report; this will help us assess whether you are compliant and what further steps need to be taken to ensure compliance. Following this we will continue to monitor compliance throughout the year and provide you with quarterly reviews. You will also have access to your DPO should any questions arise about compliance. The monthly cost of the service is from £396 + VAT for a minimum period of 12 months.
If you have any questions about this article or our external DPO services please feel free to contact Laura Pearce on firstname.lastname@example.org.