Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

MoJ wants obligation to appoint data protection officers scrapped from EU reform proposals

Businesses should not be placed under any obligation to appoint dedicated data protection officers (DPOs) under a new EU data protection law framework, the UK Government has said.14 Jan 2013

The Ministry of Justice (MoJ) said that businesses should only be "encouraged" to hire DPOs in cases where those firms feel such a measure is "necessary" in order to comply with data protection laws.

The MoJ has previously criticised proposals by the European Commission which would require large companies and those that heavily engage in personal data processing to appoint DPOs. The Commission set out the draft requirements in proposed reforms to the EU's existing framework for data protection in January 2012, but the MoJ has subsequently complained about the cost burdens that such a measure would impose on businesses.

Now, in response (22-page / 112KB PDF) to the UK Parliament's Justice Select Committee report into the Commission's proposals, the MoJ has called for the provisions relating to DPOs to be scrapped.

"The Government does not believe that the requirement to have a data protection officer (DPO) is necessary in the proposed Regulation and we believe that there are other means of achieving the accountability principle," the MoJ said in the response document. "Under the risk based model that the UK Government is proposing, data controllers would be encouraged to appoint data protection officers if they were felt necessary to ensure compliance with the proposed Regulation."

Under the Commission's proposals, business with more than 250 permanent staff, public bodies and organisations with "core activities" that "consist of processing operations which ... require regular and systematic monitoring of data subjects" would be required to appoint a DPO. The officers will be responsible for advising the organisations on data protection issues, monitoring the implementation of their data protection policies and adherence with the law and be the point of contact for regulators.

In some circumstances it would be legitimate for public authorities to appoint only one officer to cover "several of its entities". Only one officer needs to be appointed for a business consisting of a "group of undertakings", according to the Commission's draft plans.

In its report published last year the Justice Committee said that the requirement to appoint DPOs should be "based on the type of business and the sensitivity of data that is handled, rather than the number of employees".

The UK's data protection watchdog, the Information Commissioner's Office (ICO), has also previously said that it should not be "mandatory" for organisations involved in large-scale personal data processing or risky processing to employ a specialist DPO. Such a requirement should not be imposed providing those companies "have effective processes in place for ensuring data protection compliance," the ICO said.

The Confederation of British Industry (CBI) last year also said that it would be "costly and disproportionate" to require all organisations with more than 250 employees to appoint a dedicated DPO.

Earlier this month MEP Jan-Phillip Albrecht published proposed amendments to the draft plans set out by the European Commission. Albrecht is rapporteur to the European Parliament committee responsible for scrutinising the proposed data protection reforms. In his report, Albrecht said that the size of firms should not be a criterion for determining whether they have to appoint a DPO or not. He proposed that businesses that process the personal data of more than 500 people in a year should be obliged to appoint DPOs.

"The threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise but rather on the relevance of data processing," Albrecht said. "This includes the categories of personal data processed, the type of processing activity and the number of individuals whose data are processed."

Join My Out-Law

  • See only the content that matters to you
  • Tailor Out-Law to your exact needs
  • Save the most useful content for later reading
  • Tailor our weekly eNewsletter to your interests

Join My Out-Law

Already signed up to My Out-Law? Sign in

Expertise in Confidential Information

Ideas, techniques and know-how can lie at the heart of a business. Pinsent Masons' international intellectual property team is dedicated to helping you to protect those intangible valuables that help you to stand out from your competitors.

More about Confidential Information