Data Protection Officers (DPO)
Who needs to appoint a DPO?
Any organisation can appoint a Data Protection Officer (DPO) whether or not they are required to by the GDPR. However, the GDPR requires organisations (both data processors and data controllers) to appoint a DPO in the following circumstances:
- if the organisation is a public authority (except for courts acting in their judicial capacity)
- if the organisation carries out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- if the organisation carries out large scale processing of special categories of data or data relating to criminal convictions and offences (for example, a hospital). Special categories of data are broadly the same as Sensitive Personal Data under the DPA and include health data, ethnic origin, political opinions and religious beliefs.
What is the role of the DPO?
The DPOs role is to:
- provide advice and guidance to the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
- monitor the organisation’s compliance with the GDPR and other data protection laws, including managing internal data protection activities
- advise on Data Protection Impact Assessments (DPIA)
- provide staff training
- conduct internal data audits and oversee the implementation of compliance tools
- be the first point of contact for data subjects and supervisory authorities (i.e. the ICO)
The DPO must be able to act independently and be able to report directly to senior (i.e. board level) management in order to raise any concerns. The organisation must ensure that the DPO is adequately resourced to enable them to meet their GDPR obligations.
Who can be a DPO?
An existing employee can be appointed as DPO provided that their duties are compatible with the duties of the DPO and do not lead to a conflict of interests. EU guidance has suggested that combining the role of a DPO with senior management positions within an organisation may give rise to a conflict of interest. This means that it is unlikely that the DPO can be a chief executive or a senior manager in the organisation’s HR, finance, marketing or IT department. Organisations can also contract out the role of DPO externally and can share a DPO with other organisations or outsource the role to a professional consultant provided there is not a conflict of interest.
Does the DPO need specific qualifications?
The GDPR does not specify the precise credentials of a DPO but it does require that they have professional experience and knowledge of data protection law which is proportionate to the type of processing the organisation carries out, taking into consideration the level of protection the personal data requires.
What if I don’t need a DPO?
If you are not required to formally appoint a DPO under the GDPR, it may still be useful to informally appoint an individual within your business who is responsible for data protection compliance. To avoid confusion (and having to comply with the specific requirements of the GDPR around DPOs) we would recommend using another term, such as Data Compliance Officer (DCO).