When Do You Need a Data Protection Officer?

What is a Data Protection Officer?

A Data Protection Officer helps organisations to meet their regulatory obligations in relation to the processing and handling of personal data. Given the risks of significant reputational damage that organisations face when data is not securely managed the DPO’s role is one that is of growing importance within today’s business environment.

Does my business need a DPO?

Article 37 of GDPR specifies three areas where a DPO must be appointed, which applies to both Data Controllers and Data Processors. The first of these applies if you are a public authority or public body. Secondly, you will need a DPO if your business activities include large-scale, systematic monitoring of individuals – for example, activity or behaviour monitoring, perhaps using algorithms for advertising purposes. Finally, if your organisation undertakes large scale processing “Special Categories” of personal data (per Article 9 of GDPR) or the processing of data relating to criminal offences and convictions, you will similarly need to demonstrate that you have a DPO in post.

Please note that even if these conditions do not apply to your organisation, you are still obliged to have appropriate staff and resources available to deliver your data protection framework. If you decide to voluntarily appoint a DPO, you should be aware that this carries the same responsibilities as if you were required to appoint one as a mandatory requirement. In that regard, smaller organisations often consider using an alternative job title for this role.

What is a DPO responsible for?

The DPO has a clearly defined responsibility to help their organisation and its employees understand and comply with GDPR and related data protection obligations. Their typical activities would include

• the provision of data protection training
• conducting internal audits of activities which process personal data
• reviewing Data Protection Impact Assessments (per Article 35 of GDPR)
• being the nominated point of contact for both the Information Commissioner’s Office (ICO) and any data subject who wishes to make enquiries about the processing of their personal data
• being available to coordinate the identification and reporting of any personal data breaches that may occur.

It is worth considering that whilst the DPO is responsible for advising their business leaders of how to comply with GDPR and to meet its specific requirements, it remains the responsibility of these senior individuals to understand and implement the matters so communicated by their DPO. As such, it is common for Data Protection Officers to report to the highest level of management, and for the role to expect the co-operation of the organisation (regardless of whether the business is a Data Controller or Data Processor). Whilst a Data Protection Officer may have other duties within the organisation, care should be taken to ensure that they do not interfere with their ability to deliver their DPO tasks.

Who can be a DPO?

Article 37 further explains that the post holder should be a professional who has expert knowledge of data protection law and can fulfil the tasks recorded within Article 39 of GDPR. As such, it is likely that a DPO will be able to evidence comprehensive training in GDPR and will have a professional approach that allows them to clearly communicate and advise at all levels within the organisation. An important attribute is experience in risk management, which will allow them to prioritise tasks focused on higher-risk data processing activities, or where the risks associated with personal data breaches etc. would have the most damage.

Assessment of risks will permit a DPO to have greater insight into the adequacy and security of personal data processing activities, in particular in operations involving the processing of special categories of data (e.g. reviewing the medical status of health insurance policyholders) or criminal offences and convictions (e.g. monitoring the daily activities of offenders). An experienced DPO will consider factors such as the number of data subjects involved, the volume of personal data being processed, the permanent or temporary nature of the processing activity, and an assessment of the possible risks associated with the processing.

Do charities need a Data Protection Officer?

One common area of concern is whether registered charities are required to appoint a Data Protection Officer. The main consideration here is whether the charity’s activities include personal data processing activities as defined by Article 37 (reviewed above). Although many charities will not meet this requirement, the Charity Commission notes that having a DPO “is advisable”. However, a qualified DPO will not be a low-cost hire, and many charities have considered engaging the services of an external DPO, who may be available part-time or on-demand and may be independently representing many organisations who cannot commit to a full-time resource. Regardless of the engagement model, it remains each charity’s responsibility to recruit, select and manage a DPO (if required) who they can rely upon to provide them with timely, appropriate, and responsible guidance on GDPR compliance.

Conclusion

Whether you have a mandatory requirement for a DPO, have chosen to appoint one on a voluntary basis, or are reliant upon an experienced individual under a different job title, their experience of data protection legislation and how it should be implemented within your business will provide a significant boost to your levels of compliance with GDPR.

To aid businesses in their GDPR journey we offer an online GDPR Knowledge and Awareness course for just £49 + VAT.