Contact tracing: complying with the data protection laws
Guidance for employers who intend to collect customer and visitor information as part of the Government's contact tracing scheme and data protection compliance.Read more
The introduction of GDPR in 2018 prompted a lot of commercial organisations to ask if they were required to appoint a data protection officer (or DPO).
The Regulations themselves are not very clear about who needs to appoint a DPO. Fortunately, the ICO has produced a simple set of questions that, if answered correctly should clarify things. These are:
If you answer ‘no’ to all of the above you are not required to appoint a DPO. However, whether you need to appoint a DPO or not you should record your decision and the reasons for it.
You can voluntarily appoint a DPO, but we generally advise against this. All organisations should have someone who is responsible for data protection compliance and they should be adequately supported. However, voluntarily appointed DPOs will have the same role and responsibilities as other DPOs and this can present problems that you wouldn’t have if a “data protection manager” (rather than a DPO) is responsible for your compliance.
If you do need or chose to appoint a DPO then you will need to make sure of the following:
 By “core activities“ the ICO means the principal activity of your business so, for example, processing for internal HR purposes would not be a “core activity”
 ‘special categories’ are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation
If you have any questions about whether you need to appoint a DPO, their role or if you have any other data protection related questions, please contact us on 01332 226 466 or complete the form below.
Scroll to next section
Scroll back to the top