There is no clear obligation on Credit Unions to appoint a Data Protection Officer (DPO). Here we provide a concise explanation of the law, the considerations, risks and observations. With the recent circular by the Data Protection Commission DPC to many Credit Unions, this has become a topical issue and we hope to bring clarity to the consideration of this role.
1.1. The requirement to appoint a DPO is defined by Article 37 of the GDPR and summarised here by the Irish DPC;
“An organisation is required to appoint a designated data protection officer where:
- the processing is carried out by a public authority or body;
- the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.”
1.2 The position of a DPO has a statutory position with legal requirements and responsibilities.
1.3 It is unlikely that the activities of an Irish CU could be considered to meet any of these three requirements consequently any appointment of a DPO will be voluntary.
Considerations for Credit Unions
2.1 There was an early rush to appoint DPOs across the sector and it has become normalised for many. This appears to have been encouraged by the ILCU.
2.2 There has been a general misconception across many CU’s that the person who ‘owns’ data protection within the CU has to be a DPO. When we explore what the boards actually want a Data Protection Representative DPR is often sufficient. The term DPO should not be loosely used for this role.
A DPO is a statutory role that has many powers mandated by law (see 3.2 below), and is designed to be part of a large enterprise (e.g government department, health service, or other significant organisation). A DPR is the person who ‘owns’ data protection and operates under the direction of management without the constraints mandated for a DPO.
2.3 There are times when it is appropriate for a Credit Union to appoint a DPO and if it is the opinion of the board to make an appointment, this is perfectly legitimate route. Additionally, it is always advisable to carefully consider guidance relating to the appointment of a DPO issued by a regulatory oversight body with authority your CU. A DPO must register with the DPC, and where there is no legal obligation to retain a DPO, may deregister.
2.4 Some Credit Unions have grown significantly in scale and have aspirations to grow more. There will come a point where (on a European wide scale) they could be considered large scale and will require a DPO.
2.5 It is advisable for a Credit Union to guard against over engineering this role. This is not to suggest that the CU does not take its obligation seriously, however, If unchecked an individual can evolve this role to become something that was not intended by the legislation and is not required by the regulators.
3.1 The costs associated with a standalone DPO can be significant
3.2 The role of a DPO has statutory powers. Where a Controller appoints a DPO the DP Act 2018 (Article 88.4(c) and (d)) states;
“The controller shall;
– ensure that the data protection officer –
(ii) does not receive any instruction regarding the exercise of such functions
– support the data protection officer … including by –
(i) providing him or her with the resource that he or she requires to perform those functions,
(ii) ensuring that he or she has access to processing operations carried out by the controller”
In reality, this level of legal protection for the role of a DPO makes it unlawful for a CEO or board to define the activities of a DPO and can make it difficult to remove a DPO if need be. This can pose a significant risk to the CU.
3.3 The appointment of an external contracted DPO can mitigate against the risk of the powers detailed above being exercised excessively by an employee. However, these powers are not diminished due to the fact that a DPO is external and the significance of this legislation in this context has yet to be tested in the courts.
The appointment of a DPO at a Credit Union is currently a voluntary act. Where the Credit Union has a strategic objective or other reasons to decide to appoint a DPO, it should be done in the clear understanding of the statutory nature of this role.
Where a Credit Union does not wish to appoint a DPO, an arrangement that includes an internal Data Protection Representative that ‘owns’ responsibility for data protection, with the support of an independent qualified expert can deliver an appropriate level of oversight.
Please feel free to contact us at any time if you would like to discuss this further.