Data Protection Officers play integral roles when maintaining data protection compliance for many organisations. We explore if you need a DPO for your business.
When do I need a Data Protection Officer (DPO)?
Your organisation will have a duty to appoint a data protection officer under the UK GDPR if you are a public authority/body, or if you carry out certain types of processing activities. If you are not a public body/authority, you will need to appoint a DPO when:
- your core activities (if you need to process personal data to achieve your key objectives) consist of processing activities, and these processing activities require the systematic monitoring of individuals on a large scale; or
- your core activities consist of processing special category data or data relating to criminal convictions/offences at a large scale.
Regular and systematic monitoring on a large scale
Although there is no set definition in legislation, there are guidelines that suggest this consists of all forms of tracking and profiling, whether online or offline. When considering whether the processing is large scale, you will need to consider various factors and not just the numbers of data subjects whose personal data is being processed (although this is still a factor to consider), including:
- the volume of personal data being processed;
- the range of different data items;
- the geographical extent of the activity; and
- the duration or permanence of the processing.
Large scale processing of special category data and criminal convictions and offences data
This processing carries a higher risk and therefore you are required to appoint a DPO who can assist your organisation when making decisions surrounding these processing activities. In order to determine if the processing is large scale, your organisation should consider the factors mentioned above.
What does a DPO do?
Under Article 37 of the GDPR, a DPO should be appointed on the basis of their professional qualities with particular regard to their experience and knowledge of data protection law.
Article 39 of the GDPR outlines the tasks of the DPO to include:
- Informing and advising an organisation and their employees about the obligations to comply with UK data protection laws.
- Monitoring compliance with the GDPR and other data protection laws.
- Managing internal data protection activities and policies, raising awareness of data protection issues, training staff and conducting internal audits to monitor compliance.
- To advise when a data protection impact assessment (DPIA) should be completed and to monitor their completion.
- To cooperate and act as the organisation’s point of contact for the ICO.
- To act as the organisations’ point of contact for individuals whose data is being processed.
A DPO’s tasks are not just those contained under Article 39 as they are also required to consider the risk of the processing and put their focus onto the higher risk processing activities of the organisation.
It is important to note that although a DPO is assigned to assist in an organisation’s data protection compliance, the DPO is not personally responsible or liable if something goes wrong, that onus still lies with the organisation as the data controller or data processor. In addition, if you or your organisation chooses to not follow the advice then the reasoning behind this decision should be documented to demonstrate the organisation’s accountability.
Key take-aways
DPOs have a wide range of tasks in order to help your organisation maintain compliance with data protection laws and you should have a DPO appointed if you are a public authority, the processing is systematically monitoring on a large scale, or the processing is processing special category/criminal data at a large scale.
How can DPAS help?
Here at DPAS we offer a range of DPO services, including an outsourced DPO service to help give you more peace of mind.
If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or fill in a contact form and we’ll get in touch with you.
