Who needs a Data Protection Officer under the GDPR?

person questioning the need to appoint a Data Protection Officer

Share This Post

What is a Data Protection Officer?

Data Protection Officers (DPOs) are independent experts. They will help your organisation monitor internal compliance, inform and advise you of your data protection obligations, provide advice on the application of Data Protection Impact Assessments (DPIAs) and act as a point of contact for data subjects and the supervisory authority.

Do you need to Appoint a DPO?

Articles 37-39 of the GDPR set out that you must appoint a Data Protection Officer in any case where:

  • you are a public authority or body;
  • your core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
  • your core activities include processing on a large scale of special categories of data (set out in Article 9 of the GDPR) or personal data relating to criminal convictions and offences (referred to in Article 10 of the GDPR).

Voluntary Appointment

Firstly, you have to be sure that your organisation doesn’t need a Data Protection Officer. For those that don’t, many still chose to appoint one as it is considered good practice and a fundamental way of building trust with their client base and demonstrating compliance and accountability.

What Professional Qualities should the DPO have?

The GDPR does not provide a precise definition of the credentials a Data Protection Officer should have. Still, it does state that one should be appointed based on professional qualities and, in particular, expert knowledge of data protection law and practices (Article 37) and the ability to fulfil the tasks referred to in Article 39.

So, what does that mean?

Compliant processing of personal data can be complicated, with considerable risk to your organisation for getting it wrong. A DPO must have expert knowledge and the ability to fulfil the following tasks:

  • inform and advise you about your obligations under the GDPR and other data protection laws;
  • monitor compliance with the GDPR and other data protection laws, including the management of in-house data protection activities; raising awareness of data protection issues through staff training and conducting internal audits;
  • advise on the requirement of a data protection impact assessment (DPIA), how to perform them and how to handle their findings;
  • confidently serve as a credible point of contact with relevant supervisory authorities and all data subjects whose personal information has been processed, including responding to DSARs (Data Subject Access Requests).

The DPO should be ‘Independent’ – Does that mean they just get on with it?

Not exactly. The obligation to comply with the GDPR falls squarely on your organisation. Article 38 outlines how you are expected to support your DPO. Whether you appoint an existing employee (making sure there is no possible conflict of interest in their duties) or choose to bring in outside expertise, it is essential that you ensure the DPO:

  • is involved, properly and promptly, in all issues relating to data protection and
  • reports to the highest level of management;
  • can operate independently and is not dismissed or penalised for performing their tasks – organisations cannot instruct their DPO on how to interpret data protection regulations;
  • is adequately resourced to meet the tasks set out above;
  • is given the necessary access to personal information and processing activities.

What are my options?

Any organisation can choose to appoint an internal staff member as their DPO. However, it is essential to consider if they have the requisite ‘expert knowledge’ (referred to in Article 37), the time it would take, and the cost involved for them to achieve this, all before considering the opportunity cost of utilising a valuable resource in such a way.

The benefits of outsourcing the complex role of the Data Protection Officer are many. Frequently, it does not need to be full-time, so, as an operating expense, you are only paying for the time the DPO spends supporting your business. In addition, you don’t have to meet the associated costs of employing staff members such as training, annual leave, pensions or sick pay to name a few. You receive the valuable support your organisation needs to meet the significant demands of Data Protection regulation.

Discover our comprehensive outsourced data protection solutions or contact us today with your enquiry. 

Get in touch

Fill in the form below and we’ll get back to you as soon as possible

JSIG is committed to protecting and respecting your privacy. We will also occasionally contact you about products, services and content that we feel are both relevant and of interest to you. You can unsubscribe from these communications at any time. For more information please see our privacy policy.

Get in touch

Fill in the form below and we’ll get back to you as soon as possible

JSIG is committed to protecting and respecting your privacy. We will also occasionally contact you about products, services and content that we feel are both relevant and of interest to you. You can unsubscribe from these communications at any time. For more information please see our privacy policy.