Data Protection Officers – what’s the risk?
Every GP Practice in England and Wales should have a designated Data Protection Officer (‘DPO’) who is key to the practice being able to comply with its UK General Data Protection Regulation 2016 (‘GDPR’) duties. Unfortunately, there is a lack of understanding about the importance of the DPO role, resulting in partners and separately, the DPO, taking on potentially significant regulatory and financial liability. In many practices, the DPO is seen as a secondary function that a partner, practice manager, or relatively junior member of staff can undertake in addition to their normal duties. In this blog, our data and information security solicitor, David Sinclair, identifies some of the key risks and some steps you can take to avoid them.
The role of the DPO
A DPO has significant, statutory data protection responsibilities that require them to possess requisite professional qualities and other abilities (not defined in the legislation), together with an ‘expert knowledge of data protection law and practices’. Given the complexity and ever-changing nature of UK data protection law, this is a significant burden to impose on any professional – even one with considerable information governance experience.
Unless otherwise expressly set out in the partnership agreement, partners are jointly and severally liable for GDPR compliance, including for formally appointing and adequately supporting a competent DPO, and for filing the DPO appointment with the ICO.
Partners bear the full statutory responsibility of ensuring that the DPO (whether a staff member or third party) has the experience, skills and knowledge to fulfil their DPO duties, as well as the required ongoing training, support and resources to enable them to carry out their role.
A DPO carries significant liability if a GDPR breach is attributed in whole or in part to a failure on their part to properly undertake their DPO duties. This is the case even when it can be shown that they perhaps did not have the necessary experience for the role and/or were not provided with adequate training to understand the GDPR’s requirements (many of which are poorly defined and open to interpretation), unless the DPO can demonstrate that they raised these issues with the practice at the earliest opportunity.
A common misconception among DPOs is that they have immunity from prosecution, dismissal, or other disciplinary action by virtue of their status as a DPO. This is not the case.
Article 38 of the GDPR provides DPOs with limited protection from dismissal or other penalty relating purely to the performance of their DPO tasks. In addition, DPOs cannot be personally liable for the partnership’s non-compliance with the GDPR, which remains with the partners.
Data protection law does not, however, protect DPOs who fail to undertake their statutory role or who do so negligently, eg by them failing to advise the partners, or them giving inaccurate advice, particularly where this is due to the DPO’s lack of competence and they failed to raise that with the practice.
Further, the GDPR does not prevent partners disciplining DPO employees (up to and including dismissal) under the terms of their employment contract, or from partners seeking to recover damages (in breach of contract and/or negligence) from external DPOs, whose failure to undertake their role results in a breach of data protection law.
So how can you minimise your liabilities?
Partners should undertake due diligence on a DPO’s competence and suitability to undertake their role. The practice must also provide the DPO with the resources and support they need to carry out their duties. We strongly advise partners to review their DPO appointment on a regular basis.
Existing DPOs and those considering taking on the role should give thought to whether they have the required training, experience, skills and knowledge to undertake the role. Particular consideration should be given to whether they can advise the practice competently and confidently on complex GDPR issues. Individuals who have doubts about their competence in this area should raise this with a partner as a priority.
For more information about GDPR, the role of the DPO or on information governance issues generally, please contact David Sinclair on 01483 511555 or by email to firstname.lastname@example.org.