A lot of the advice we provide around GDPR compliance concerns the importance of being able to illustrate the steps you have taken to comply with the data protection regime as it applies to your business. Accountability is one of the key principles of GDPR, and appointing a data protection officer (DPO) that has the relevant knowledge and expertise is one of the ways you can show you are accountable to the individuals whose data you process. Although GDPR doesn’t oblige every business to employ a DPO a good rule of thumb is to assume that you do need a DPO unless you can clearly demonstrate that the GDPR requirements for appointing a DPO don’t apply to you.
Here we examine the roles and responsibilities of the data protection officer within an organisation and ask whether you need to appoint one to oversee your data protection practices. For more information, contact one of our specialist GDPR solicitors today.
We'll consider the following:
- What is a data protection officer responsible for?
- Do I need a data protection officer under GDPR?
- Do you have to appoint a DPO if you’re not legally obliged to?
- Who can be a data protection officer?
- Can someone from your existing team be appointed DPO?
- Could you outsource the role of data protection officer?
- By appointing a DPO, does that make them solely responsible for data protection compliance?
- What protocols should you put in place to make sure your data protection officer is complying with GDPR?
What is a data protection officer responsible for?
A data protection officer should be the go-to person for all data protection issues within an organisation. Your staff should be able to rely on the DPO’s expertise when data protection issues arise and the general public should be able to contact the DPO directly about the data processing activities of your business. The Information Commissioner’s Office (ICO) will also want to correspond with the DPO from time to time.
The roles and responsibilities of the data protection officer are set out in Article 39 of GDPR. These are:
- To inform and advise controllers, processors, and employees of their data protection obligations.
- To monitor GDPR compliance within an organisation, develop staff training and awareness-raising and advise on data protection audits.
- To provide advice on data protection impact assessments.
- To liaise with the ICO when necessary and act as a formal contact with the ICO on all issues relating to data processing.
A data protection officer must always bear in mind the risks associated with any processing activities while carrying out their functions.
Do I need a data protection officer under GDPR?
A data protection officer helps organisations minimise the risks inherent in processing personal data. With the draconian sanctions available to the ICO under GDPR this is more important now than ever before. But many of our clients – particularly some small and medium-sized businesses – think that appointing a DPO is a disproportionate expense when they only handle a small volume of data or when the data they do process is not overly sensitive. Under GDPR you have no choice about appointing a DPO if:
- You are a public authority.
- Your core activities require large scale, regular and systematic monitoring of individuals.
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
To determine your ‘core activities’ you need to consider whether you need to process personal data in order to meet your primary business objectives. If you do then your processing of data is a core activity requiring you to appoint a data protection officer.
‘Special categories’ of data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, sex life or sexual orientation and health data.
Whether you need to appoint a DPO under GDPR does not depend on the size of your business or the number of employees you have. There’s no exemption or get-out for SMEs in this regard. What matters is the nature and amount of data you process.
Do you have to appoint a DPO if you’re not legally obliged to?
If the requirements of GDPR about appointment of a DPO don’t apply to your business do you still need to consider employing one?
You might not process sensitive information for example, or you may only process the information of a small number of individuals. In these situations, while appointing a data protection officer might not be necessary you still have to meet all your obligations under GDPR – and a DPO can help you ensure compliance by monitoring regularly, advising staff and increasing awareness within your company of all relevant data security issues.
One thing is clear however: if you decide you aren’t going to appoint a DPO you must make a clear record for your reasons for not doing so. This will enable you to defend your decision if asked to do so by regulators.
Who can be a data protection officer?
The GDPR doesn’t set out any specific qualifications a data protection needs to have. But when recruiting a DPO for your organisation it’s important to employ someone with appropriate experience and understanding of data protection law and how it applies to the particular industry sector you operate in. A DPO should have appropriate expertise to deal with the issues raised by the type of data you process, So if you are processing a significant volume of highly sensitive data your DPO should have an advanced understanding of all of the issues likely to arise.
Remember too that when engaging a DPO, that person will be your organisation’s main contact for the ICO and the public. They should have excellent communication and interpersonal skills and be able to bring all of your staff together in promoting a data secure workplace.
Can someone from your existing team be appointed DPO?
Yes. You don’t necessarily need to hire an external candidate as your DPO. If an employee has the requisite experience and the appointment as DPO wouldn’t conflict with other responsibilities, they may have you can redeploy that employee as your DPO.
Could you outsource the role of data protection officer?
The complexities of GDPR compliance coupled with the potential damage to a business when there is a data breach lead many companies, particularly smaller businesses, to outsource the data protection officer role to a professional services company that specialises in data protection.
For companies that use external data protection officers, payment of a monthly fee provides the peace of mind that they are GDPR compliant. However businesses that do outsource the DPO function must remember that the external service company must be given the same role and responsibilities as if your DPO was an employee of the business. External DPOs will usually have some form of certification demonstrating they are qualified to act as a DPO.
By appointing a DPO, does that make them solely responsible for data protection compliance?
Appointment of a DPO does not divest the business owner (the data controller and processor) of responsibility for GDPR compliance. The DPO won’t be liable for a breach if one occurs. Instead the DPO works to minimise the chance of a breach, or help mitigate if there is one, and encourage best data protection practice within your organisation.
What protocols should you put in place to make sure your data protection officer is complying with GDPR?
Article 38 of the GDPR imposes an obligation on data controllers and processors within organisations to support data protection officers with sufficient resources to carry out their tasks. This includes ensuring the DPO has access to personal data and processing operations and is facilitated in maintaining their expert knowledge. In practice, to ensure you are adequately supporting the DPO in performing their functions under GDPR you should:
- Engage the DPO closely in all data protection matters.
- Provide the DPO with the resources and training needed.
- Require the DPO to report regularly to the board or similar management group. Ideally the DPO should have direct access to the most senior management when required.
- Enable the DPO to act independently.
- Ensure the DPO is not prejudiced for carrying out the role. Remember often the DPO will have to act at arm’s length from colleagues and this can give rise to tensions and conflict.
Observing protocols like these demonstrates that as a business you take seriously the role of the DPO – and GDPR compliance generally.