Posted by: Malcolm Jarvis CIPP/E
If you’re considering a change of role, and the prospect of leaping out of bed every morning to a day policing data protection regulations gets your juices flowing, 2018 could be your lucky year. Way back in April 2016, the International Association of Privacy Professionals (IAPP) estimated that the GDPR will necessitate the creation of at least 28,000 new Data Protection Officer roles within the EU. Since then, having taken into account that the GDPR’s scope includes any companies handling data relating to EU citizens regardless of where the company is located, this estimate has ballooned to 75,000. The article goes on to state that 90% of companies surveyed will be filling these vacancies from within their own ranks, but even so it makes it difficult to argue against the EU being good for job creation. However, it does highlight a timely question: does your company need to hire a Data Protection Officer (DPO) before May 25th and, if so, what will they have to know and do?
First things first - unless you are genuinely interested in data protection, data protection legislation and conducting regular data protection impact assessments and suchlike, you don’t want to be a DPO. This isn’t just a throw-away role that you can assign to yourself or one of your co-workers and consider the job done. This role comes with genuine responsibilities, and there’s a chance that these could involve personal legal proceedings should your elected DPO fail to carry out their duties correctly.
Secondly, maintaining our focus on call centres and call centre activities, we’ll leave the job of identifying the requirement for a DPO for other types of business to other sources - there are certainly plenty of them.
Lastly, as with my previous articles exploring the GDPR in relation to call centre activities, I need to point out that I’m not a solicitor or legal professional and any advice given here is on a best-effort basis. It’s also worth bearing in mind that while the GDPR will apply to the UK, there is scope for the UK government to put its own spin on these guidelines when they are adopted into UK law.
What Does a Data Protection Officer Do?
The role of a Data Protection Officer has been well established in Germany for over 10 years, and a few other countries in the EU such as France and Sweden already have many DPOs in place. However, for other countries both inside and outside the EU, the concept is wholly or partially new. Article 39 of the GDPR gives us a list of duties that a DPO will be required to carry out under the GDPR.
In order to understand these requirements, and data protection legislation in general, we need to understand the distinction between the data controller and the data processor. These terms come up again and again, so if you’re not already familiar with them then its worth getting your head round them now.
Data Controllers and Data Processors
The data controller is the organisation directing how personal data is to be used, usually the company making the decisions about what data is to be used and what is to be done with it.
The data processor is the organisation that actually uses the data as directed by the controller. In many cases the controller and the processor will be same company, in others they’ll be different companies. In some situations, there may well be more than one processor involved.
Let’s look at a call centre example:
MJ Telemarketing Ltd has a contract with Buzz Energy Ltd. Buzz Energy supply them with a list of customers to contact to offer a new tariff to. MJ Telemarketing uses Greenlight as a hosted call centre software provider to facilitate the process of calling through the list of customers in an efficient manner (among many other useful functions).
Provided that Buzz Energy signs a contract with MJ Telemarketing and provides instructions detailing how the data is to be used, Buzz Energy is the sole data controller in this scenario. These instructions would include details such as how often the individuals listed in the data are to be called, what information is to be collected on each call, how the data is to be returned and so on.
MJ Telemarketing also has a contract with Greenlight that specifies how any data that they load into their Greenlight call centre system is to be used, how it is to be deleted when no longer required, and that no decisions regarding the processing of any data loaded will be made without MJ Telemarketing’s explicit consent.
Buzz Energy supplies the data (securely) to MJ Telemarketing, and MJ Telemarketing (securely) loads the data in to their Greenlight system. As it’s MJ Telemarketing’s staff and not Greenlight’s staff who are working with the data on screen as they contact each of Buzz’s customers, both MJ Telemarketing and Greenlight are data processors.
However, suppose one of the management team at MJ Telemarketing decides that they’d like to collect some additional information on calls, for example, the individual’s date of birth or maybe an opt-in for MJ Telemarketing to call in the future regarding additional products. If they add this to the agent script and agents start gathering this information without Buzz Energy’s written instruction, MJ Telemarketing are now also a data controller for all customers for whom this information is gathered. Notwithstanding the fact that MJ Telemarketing are now very likely in breach of their contract with Buzz Energy, they’ve also now taken on all the additional responsibilities and liabilities that the GDPR places on data controllers, of which there are many.
So, if you’re carrying out call centre activities on behalf of a client, you’ll need to ensure that everything you do in relation to that client’s customer data is detailed in your service agreement, contract or whatever legal framework you have in place. If not, you run a very real risk of taking on the responsibilities of both the data controller and the data processor should you attract the attention of the ICO. This is a big headache that you really don’t need.
Of course, if you’re involved with a call centre operating in-house, using your own data and making your own decisions about how your data is to be used, you’ll be both the data controller and a data processor regardless.
The Role of A DPO
Now that we understand the distinction between data controllers and data processors, let’s go back to Article 39 and have a look at what the GDPR requires a Data Protection Officer to do in the line of duty:
- The data protection officer will have at least the following tasks:
- To inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.
- To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
- To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
- To cooperate with the supervisory authority
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2) The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
So, to translate that into English, a DPO will need to do at least the following:
- Know and understand the GDPR and all other relevant data protection laws applicable to your business activities. This includes those of countries outside the country you’re operating in and/or are based in if you’re using data concerning citizens of other countries. Remember that the GDPR only enhances existing laws within the EU - it’s up to individual countries to decide whether or not they want to use it to replace existing legislation (for example, the UK will have a new Data Protection Act based on the regulations within the GDPR - DPOs will need to be intimately familiar with both).
- It’s the DPOs duty to work with both data controllers and data processors any time personal data is being used by the company and ensure that everyone knows what’s required of them.
- It’s also their duty to ensure that all relevant staff are adequately trained in data protection practices and principles.
- DPOs are tasked with monitoring both controllers and processors to ensure they are fully compliant with the GDPR and any other applicable data protection legislation. They also need to ensure both controller and processors are following their own data protection policies.
- DPOs get to assign responsibilities within the organisation to ensure compliance.
- Whenever a Data Protection Impact Assessment is required, the DPO is responsible for advising the company on how to carry one out and ensuring it’s done correctly.
- The DPO is required to cooperate with the ICO (or other supervisory body if dealing with other countries).
- The DPO is the contact point for the ICO and will ensure the ICO is informed whenever high risk processing is identified that doesn’t have suitable safeguards in place.
But wait - there’s more. Article 38 details the “Position of the Data Protection Officer”. I’ll let you read the official wording for yourself, but the gist of it is:
- The data controller and the processor have a legal obligation to involve the DPO promptly, any time any matter relating to personal data is being discussed.
- The controller and processor are legally bound to provide the DPO with adequate resources to do their job, including access to the data itself, access to processing operations, and to ensure they have access to training to maintain their expertise.
- Neither the controller nor the processor can provide the DPO with instruction on how to do their job. They cannot dismiss or penalise the DPO for performing their role. The DPO must report to the highest level of management within the controller and processor.
If that sounds like a high level position within an organisation, then you’d be right. There’s a lot of scope here for abuse of power and to create a lot of trouble and expense for your business (and possibly for your clients and suppliers as well), so selecting the right person to carry out this role is going to be critical.
As the DPO will be legally obliged to report any concerns regarding high risk processing of data (the term “high risk” includes using large volumes of data, so most call centre activities will fall into this category), directly to the ICO, it’s not far off the mark to think of them as the ICO’s representative inside your organisation. You get to choose them, but once they’re assigned, their main responsibility is to the ICO and the protection of personal data - the company’s needs come a distant third. Of course, there’s nothing wrong with this, and the world would be a much better place if all businesses took protection of personal data seriously, but thinking about the role in this way should help focus your business on selecting the right person for the job.
Does My Call Centre Need a Data Protection Officer?
Given that the role of a DPO is technically challenging and involves high seniority and responsibility, it’s safe to say that qualified, capable individuals to fulfil such a position will be both scarce and expensive. While larger corporations, organisations and public bodies will almost always have a DPO by default (and probably have an equivalent role in place already), smaller businesses are likely to struggle to find this additional salary or possibly to justify the workload after the initial assessments and training are complete and data protection practices are established.
Article 37 of the GDPR details the conditions under which a Data Protection Officer is required and the options for assigning one. Firstly, there are three conditions under which a DPO must be designated:
- Where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity).
- Where the core activities of the controller or processor involve the processing of regular and systematic monitoring of individuals on a large scale.
- Where the core activities of the controller or processor involve the use, on a large scale, of special categories of data or personal data relating to criminal convictions.
The first of these basically means that all public bodies, such as councils, the emergency services, government organisations etc, will be required to assign a DPO. If you’re involved with one of these bodies, I’m sure it’s safe to assume that you’re already well on your way to having a DPO if you don’t have one already.
The second is for organisations carrying out public surveillance such as companies conducting CCTV surveillance covering public spaces or monitoring activity on a social media website. There seems to be a bit of ambiguity at present as to whether this applies to companies where this isn’t their “core activity”, but if your business does gather public surveillance data then it would certainly be worth seeking professional guidance on the matter.
Special Categories of Data
The last condition, point (c), is the one that is most complicated and is also most relevant to call centre businesses. Special categories of data aren’t a new concept, and have long been subject to additional safeguards. The special categories are listed in Article 9 of the GDPR and consist of data relating to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a person’s sex life or sexual orientation
Article 10 adds that only the official authorities have any right to use information relating to criminal convictions and offences. If you’re in any doubt as to whether this is your business, then it’s safe to say it’s not.
It’s worth a reminder that use of data concerning any of these special types of data is prohibited without the explicit consent of the individual it relates to. In cases where the individual does provide adequate consent, gathering or possessing significant amounts of data falling into any of these categories means that either the data controller or the data processor must designate a Data Protection Officer.
While it’s true that the regulation states that only the processing “on a large scale” of the special categories of data necessitate the allocation of a DPO, all call centres that I know of exist to handle large volumes of calls leading to large volumes of data. For this reason, it’s a safe bet that as soon as you start gathering any of these classes of data, your systems will very quickly be considered to contain such information “on a large scale”.
Of the categories listed above, the one that I see most often in call centres is data concerning health. Insurance campaigns, RTA campaigns, anything to do with wills or pensions, even PPI campaigns or campaigns using data relating to state benefits being received in order to access a government grant involve data regarding people’s health. Any political canvassing campaigns would also necessitate the allocation of a DPO as would data that includes people’s racial or ethnic origin.
If your campaign can manage without this data, then the easiest option is to simply leave it out. Remember that under the GDPR, all companies will have a duty to regularly review whether they can justify gathering and keeping the personal data that they have. If they can’t provide adequate justification for keeping it (“it might come in handy one day” is not an adequate reason), then it must be deleted.
However, if your campaign does require you to gather and process one of these categories of data, then either the data controller or data processor must designate a DPO to oversee the use of the data as detailed above.
Fortunately, Article 37 states that a single DPO can oversee the data protection obligations of more than one company, and that the designated DPO can be a member of staff of either the controller or processor, or be employed on a service contract. This gives us some options.
For smaller call centre businesses, the most likely method for allocating a DPO will be to either have one assigned by their clients (larger business will almost always have their own DPO anyway), or alternatively they will be able to employ the services of a consultant. One of the difficulties companies will have from May 25th onward will be identifying well qualified professionals to fulfil this role. Article 42 of the GDPR mentions that certifications will be created (by the ICO in the UK) to assist companies in training and recruiting individuals to such roles, but none of this will be in place when the GDPR comes into force.
There are however many data privacy consultants and professional bodies in place who are already offering their services and who have a long head start on how to comply with the GDPR and other data protection legislation. The Direct Marketing Association (DMA) is also an excellent resource for information and advice regarding data protection. Remember, while some of the GDPR is new, most of it is built on existing data privacy best practices and existing regulations, so consultants already working in the field of data privacy and protection will be a good place to start.
What Can You Do Now?
If the information above suggests that your business will require a Data Protection Officer to be designated by your company, and no suitably qualified individual already exists within your organisation, now is the time to take action. The ICO is unlikely to be swayed by arguments of “I didn’t know I needed a data protection officer” or “I thought random employee X was suitably qualified”. The ICO also has a history of examining months or years of previous activity when investigating breaches of data protection law, so operating for a period of time without following the rules is going to be risky.
If your call centre activities involve the use of personal data on behalf of another business and you haven’t yet discussed the changes demanded by the GDPR, then this is probably the first thing you should do. If they can provide a suitably qualified DPO to cover your business activities on their behalf then they will likely require you to agree that their DPO is designated for that campaign within your business. This will require you to provide them with virtually unlimited access to both your data protection policies and practices and those of any relevant third parties, but will certainly save you the time and expense of recruiting your own DPO.
If you’re acting on behalf of companies that don’t have their own DPO, or if your call centre only conducts business on behalf of your own company, then you’ll either need to:
- Recruit a DPO,
- Identify and train a suitable individual internally, or
- Enlist the services of a consultant DPO under a suitable service contract.
In all these cases, expert advice will be required, and you’ll need to move quickly in order to ensure you’re adequately prepared for the arrival of the GDPR on 25th May.
The need for a data protection officer is one of the completely new regulations that will be in place under the GDPR. If your call centre can legitimately manage without one (while keeping on top of all the other demands of the GDPR), then you’ll probably be breathing a sigh of relief for the time being. On the other hand, if the nature of the campaigns conducted by your call centre means that you must have a DPO, at least you’ll be able to console yourself that other companies less proactive than yours will have a hard job competing once this becomes a requirement at the end of May.