Do Chambers require a Data Protection Officer?

Despite what some may think, the concept of a ‘Data Protection Officer’ is not new. In the UK, many organisations chose to appoint Data Protection Officers as best practice. The relevant change under the GDPR is that such appointments will now be mandatory for organisations who meet the stated criteria. In recent training sessions and client meetings, the question has been posed whether barrister’s chambers should do so.

The Criteria

Let’s first consider Article 37 of the GDPR which outlines the criteria where the appointment of a DPO by a controller or processor is mandatory:

         I.            The processing is carried out by a public authority;

       II.            The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or

     III.            The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions/offences.

The Interpretation

For Chambers, the first criterion is irrelevant. However, the second and third could pose potential issues. Unhelpfully, the GDPR does not define what constitutes largescale processing. However, Recital 91 specifically provides that ‘the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer’. As with much of the GDPR, there is considerable scope for interpretation and a lack of definitive guidance on how to apply the various principles and articles in specific sectors. It is evident that individual barristers will not require a DPO; however, it remains less clear whether certain chambers by virtue of their size, the volume and sensitivity of the information processed may require a mandatory DPO.

Notwithstanding any mandatory requirement, Chambers may still choose to appoint a DPO. The ICO believes it may be useful for organisations to designate a DPO voluntarily. Even the Article 29 Data Protection Working Party “encourages these voluntary efforts”.

In the course of supporting Chambers through their compliance journey, we have seen various informal iterations of such a role – a management committee member, a designated barrister within chambers and a senior clerk or administrator. Recognising their importance, the GDPR lays down conditions for his or her appointment, position and tasks. The GDPR is very clear that when a DPO is appointed on a voluntary basis, the requirements under Articles 37 to 39 will still apply as if the designation had been mandatory. If Chambers simply wants to allocate the tasks associated with compliance to particular individual, they should not be referred to as a DPO.

Given the heavy reliance on transparency and being able to demonstrate compliance, Chambers who determine not to appoint a DPO should record their thinking and decision as part of their compliance documentation. This may take the form of the management committee minutes or a written determination from the Head of Chambers.

It is worthwhile reiterating that the DPO, whether mandatory or voluntary, bears no personal responsibility for non-compliance with the GDPR. The responsibilities and obligations of the data controller or processor cannot be passed or transferred and they remain accountable for compliance.

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 45 chambers to help them navigate through their compliance journey. We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.