Do I need a Data Protection Officer to comply with GDPR?
Last updated on April 15th, 2020
The countdown is on for the official GDPR implementation date as the six-month deadline approaches. Many organisations will be in the process of reviewing the data they hold, where it is stored, how it processed and who has access to it, as well as various other requirements they need to implement before 25th May 2018.
Once such requirement you may have come across is the appointment of a Data Protection Officer. In brief, this is an enterprise level security role designed to help processor and controllers comply with their GDPR requirements. Specifically, Articles 37-39 relate to the DPO’s role and requirements, but does your organisation actually need to appoint one to comply with the new regulation?
Which organisations need a Data Protection Officer?
Under the GDPR (Article 37), you must appoint a Data Protection Officer (DPO) if:
- You are a public authority (except courts acting in their judicial capacity); or
- You are a controller or processor whose core activities consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
- You are a controller or processor whose core activities consist of processing on a large scale or sensitive data or data relating to criminal convictions/offences
The Article 29 Working Party (WP29) has now published additional guidance to clarify the requirements appointing a Data Protection Officer outlined by Article 37.
For processing to be considered a core activity it should be part of the key operations to achieve the controller/processor’s objectives which “forms an inextricable part of the controller’s or processor’s activity”. This would not include support activities such as payroll or IT support, which are typically supporting functions
Organisations should take into account the following factors when considering whether their processing is “large scale”
- The number of data subjects concerns;
- The volume or data or the range of data items;
- The durations of processing; and
- The geographical extent of processing
“Regular and Systematic Processing”
This would “include all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising”, however it could also include offline activity. According to the WP29 “regular” monitoring means monitoring which is
- Ongoing/occurring at particular intervals for a particular period;
- Recurring or repeating at fixed times; or
- Constantly or periodically taking place
If you are a public authority or your processing activities meet any of the above requirements then it will be mandatory for you to appoint a DPO in order to comply with the GDPR. However, any organisation can appoint a DPO if they wish. For those that decide to so it is important to remember that voluntary DPOs will still be subject to the same requirements and responsibilities as mandatory DPOs.
The Information Commissioner’s Office has further stated that, regardless of whether you are obliged to appoint a DPO, you must ensure that your organisation has “sufficient staff and skills to discharge your obligations under the GDPR”.
The WP29 advises that, unless it’s obvious that your organisation does not require a DPO, you should keep records of your decision-making process on how and why you have decided not to appoint one.
Roles and Responsibilities of a Data Protection Officer
- Educate the company and employees on important compliance requirements
- Train staff who are involved in data processing
- Conduct audits to ensure compliance and address potential issues proactively
- Be the point of contact for supervisory authorities and for individuals who submit requests regarding their personal data
- Maintain comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities
- Communicate with individuals to inform them how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information.
Who can be a Data Protection Officer?
You can outsource your requirement to a third party or you appoint a current staff member as your DPO. As long as there are no conflicts of interest with their current role.
The GDPR has not defined a particular list of qualifications or required experience. However, it does require a DPO to have “expert knowledge of data protection laws and practices”. This knowledge should be proportionate to the type of processing your organisation carries out and take into consideration the level of protection the personal data requires. Unsurprisingly, your DPO should also have a deep understanding of the GDPR.
Ideally, a DPO should have excellent management skills and the ability to communicate with internal staff, supervisory authorities and members of the public. They must be able to handle managing data protection and compliance internally, and ensure they report any breaches or non-compliance the relevant supervisory authority.
As an employer you also have specific duties when it comes to your DPO, namely, you must ensure that:
- The DPO reports to the highest management level of your organisation e.g. the board
- The DPO operates independently and is not dismissed or penalised for performing their duty
- Adequate resources are provided to ensure the DPO can meet their GDPR obligations
The DPO is a highly accountable role, requiring certain expertise and experience, so it’s important to hire the right person. Organisations should assume they require a DPO – unless they can clearly demonstrate otherwise. However, according to advice from the ICO and WP29 but it could be best practice to appoint one anyway. Just bear in mind they will have the same requirements and responsibilities and mandatory DPOs.
Why successful companies have IT leadership on their board
Businesses whose boards have strong digital skills enjoy benefits including 17% greater profits, 34% higher return on assets and 38% faster revenue growth according to a report by MIT SMR. Any of those advantages would put a company in a powerful place against their competitors, so how does this one difference deliver all three? And […]
How could the 2012 Olympics affect your network?
With the London Olympics quickly approaching; there are a couple of areas that businesses should be aware of in terms of their networks, particularly internet connectivity. UK-Wide demand for bandwidth The demand for internet access for streaming videos is likely to be very high during the Olympics, putting a marked increase on the UK ISPs through very […]
Technology trends forecast for 2015
As we are at the end of the year, here is my forecast for the key technology trends for 2015: 1. Mobile exploits will grow significantly We’ve seen a rise in exploits on mobile devices over the last 12 months, across all platforms. This is just the start of a trend, there’s absolutely no doubt […]