Do I need a data protection officer (DPO)?

The introduction of GDPR in 2018 prompted a lot of commercial organisations to ask if they were required to appoint a data protection officer (or DPO).

The Regulations themselves are not very clear about who needs to appoint a DPO. Fortunately, the ICO has produced a simple set of questions that, if answered correctly should clarify things. These are:

1. Are you a public authority?
2. Do your organisation’s core activities[1] require regular and systematic monitoring of individuals on a large scale? For example, tracking and monitoring individuals’ behaviour, such as on the internet or on CCTV
3. Do your organisation’s core activities involve processing on a large scale ‘special categories’ of personal data[2], or ‘criminal convictions or offences data’?

If you answer ‘no’ to all of the above you are not required to appoint a DPO. However, whether you need to appoint a DPO or not you should record your decision and the reasons for it.

You can voluntarily appoint a DPO, but we generally advise against this. All organisations should have someone who is responsible for data protection compliance and they should be adequately supported. However, voluntarily appointed DPOs will have the same role and responsibilities as other DPOs and this can present problems that you wouldn’t have if a “data protection manager” (rather than a DPO) is responsible for your compliance.

If you do need or chose to appoint a DPO then you will need to make sure of the following:

1. The DPO had experience and expert knowledge of data protection law
2. The DPO is registered with the ICO
3. The DPO reports directly to the highest level of management
4. The DPO is closely involved in all data protection related matters
5. The DPO is given access to all relevant personnel and information and is adequately resourced
6. The DPO is able to:
   • inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
   • monitor compliance with data protection laws, and with your data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
   • advise on, and to monitor, data protection impact assessments;
   • cooperate with the supervisory authority; and
   • be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

7. Any other role the DPO has in the business does not conflict with their responsibilities as DPO. This can be hard as it means that the DPO cannot hold a position within your organisation that leads him or her to decide how you handle personal data (which, for example, a head of HR or IT or an MD would expect to do in various circumstances). Because of this requirement (and the need for expertise in data protection), a lot of organisations chose to appoint external advisors as their DPO.

____________________________________________________________________________

[1] By “core activities“ the ICO means the principal activity of your business so, for example, processing for internal HR purposes would not be a “core activity”

[2] ‘special categories’ are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation