Do we need a Data Protection Officer?
In 2018 we saw one of the biggest updates to data protection law in years, the General Data Protection Regulation (GDPR). With it came new obligations and duties which organisations of all sizes must follow.
One prominent update was the introduction of a duty to appoint a Data Protection Officer (DPO) if a company fulfils certain criteria.
Who is legally required to appoint a DPO?
Under new data protection law, a company or business must appoint a DPO if:
- They are a public authority/body as defined within Section 7 of the Data Protection Act 2018;
- Their primary activities (those being, the processing of personal data needed to achieve the key objectives of the company) require large scale, regular and systematic monitoring of individuals (such as online behaviour tracking); or
- Their primary activities require large scale processing of special categories or data, or data which related to criminal offence and convictions.
What is ‘large scale’? Whilst the law doesn’t define exact figures, it states a business must, when determining whether the process is on a ‘large scale’, consider:
- The number of data subjects concerned;
- The volume of personal data which will be processed;
- The geographical reach of the activity;
- The duration of the activity; and
- The range of different items of data being processed.
Even if a business does not fulfil these criteria and does not legally need to appoint a DPO, it must ensure it is sufficiently staffed and resourced, with the applicable knowledge on hand, to fulfil its obligations under GDPR and other relevant data protection law. Since a DPO can monitor a business’s compliance and provide advice and support in fulfilling compliance, it is best practise to appoint a DPO even if not legally required to.
If a business voluntarily decides to appoint a DPO, they must abide by the same standards as a business legally required to appoint a DPO. If a business decides not to appoint a DPO, this decision and the reasoning behind it should be documented to demonstrate compliance.
What is a DPO?
A DPO will assist the company to monitor internal compliance with data protection legislation and guidance, and most importantly to inform and advise on the company’s obligations. A DPO will also provide any data subjects (a person for which the company holds personal information about) with a point of contact for any requests or concerns.
Their role will include organising staff training, raising awareness within the company of data protection issues, conducting internal audits, reviewing data protection policies and cooperating with the supervisory bodies.
Who can be a DPO?
A business can appoint an existing employee to be their DPO, or they can appoint someone externally. They must however, be completely independent with sufficient expertise in data protection and provided with adequate resources.
A DPO must be appointed based upon their professional qualities, particularly their experience and expertise in data protection law. Whilst the exact credentials expected of a DPO are not laid out by GDPR, a DPO is expected to have proportional experience and expertise to the level of protection the personal data will require. For example, if the personal data and processing of it is particularly risky or complex, the DPO’s knowledge should be appropriately advanced.
A DPO can have other roles within a company or businesses too, but they must not pose a conflict of interest with the DPO’s primary tasks and responsibilities. As DPO they must report to the highest management level at the company.
For small businesses or charities without the resources or knowledge in house to fulfil the requirements of a DPO, an external service is a useful solution to comply with GDPR. We provide an affordable service to enable all businesses and charities small to large with an expert and professional DPO. Read more here or get in touch for our packages and quotations.
Does a business have to follow the advice of their DPO?
A business does not have to always follow the advice of their DPO, however the decision and the reasons for making it must be documented to demonstrate accountability and compliance.
The DPO is not personally liable for data protection compliance, the company as the controller or processor remains liable to comply with relevant law.
Do the DPO’s details need to be published?
Data protection law requires a business to publish the contact details of their DPO and to provide them to the ICO. Details can be registered here.
Need more guidance?
Get in touch with our experts by contacting us at firstname.lastname@example.org or 0330 365 1060, and we will be happy to help.