Who needs a Data Protection Officer, and What does a DPO do?

What does a DPO do?

Data Protection Officers (DPOs) are independent experts. They will help your organisation to monitor internal compliance, inform and advise you of your data protection obligations, provide advice on the application of Data Protection Impact Assessments (DPIAs) and act as a point of contact for data subjects and the supervisory authority.

Do you need to Appoint a DPO?

Articles 37-39 of the GDPR set out that you must appoint a Data Protection Officer in any case where:

  • you are a public authority or body;

  • your core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or

  • your core activities include processing on a large scale of special categories of data (set out in Article 9 of the GDPR) or personal data relating to criminal convictions and offences (referred to in Article 10 of the GDPR).

What is a Public Authority?

Under the GDPR public authorities are defined by the Freedom of Information Act 2000, the Freedom of information Act (Scotland) 2002, and anybody specified by the Secretary of State. They are considered “public” if they carry out tasks in the public interest. Public Authorities Include

  • Maintained Schools
  • Higher Education Institutions
  • Publicly Owned Companies
  • Government Departments
  • Legislative Bodies
  • The Armed Forces
  • Local Government
  • Police Forces
  • National Health Services
  • Other Public Bodies

Voluntary Appointment

Firstly, you have to be sure that your organisation doesn’t need a Data Protection Officer. For those that don’t, many still chose to appoint one as it is considered good practice and a fundamental way of building trust with their client base and demonstrating compliance and accountability.

What Professional Qualities should the DPO have?

The GDPR does not provide a precise definition of the credentials a Data Protection Officer should have. Still, it does state that one should be appointed based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

...So, what does that mean?

Compliant processing of personal data can be complicated, with considerable risk to your organisation for getting it wrong. A typical DPO job description includes having expert knowledge and the ability to fulfil the following tasks:

  • inform and advise you about your obligations under the GDPR and other data protection laws;

  • monitor compliance with the GDPR and other data protection laws, including the management of in-house data protection activities; raising awareness of data protection issues through staff training and conducting internal audits;

  • advise on the requirement of a data protection impact assessment (DPIA), how to perform them and how to handle their findings;

  • confidently serve as a credible point of contact with relevant supervisory authorities, and for all data subjects whose personal information has been processed, including responding to DSARs (Data Subject Access Requests).

The DPO should be 'Independent' - Does that mean they just get on with it?

Not exactly. The obligation to comply with the GDPR falls squarely on your organisation. Article 38 outlines how you are expected to support your DPO. Whether you appoint an existing employee (making sure there is no possible conflict of interest in their duties) or choose to bring in outside expertise, it is essential that you ensure the DPO:

  • is involved, properly and promptly, in all issues relating to data protection and

  • reports to the highest level of management;

  • can operate independently and is not dismissed or penalised for performing their tasks – organisations cannot instruct their DPO on how to interpret data protection regulations;

  • is adequately resourced to meet the tasks set out above;

  • is given the necessary access to personal information and processing activities.

How we can help

By outsourcing the complex role of the Data Protection Officer to JS Information Governance, your organisation gets the support it needs to meet the significant demands of the GDPR with the peace of mind that a trusted expert is guiding you through to compliance.

To find out more or to have a conversation about the best place to start, get in touch.

Related Services

image of JSIG digital scan and redact icon

Digital Scan and Redact

Start your journey to GDPR Compliance Today

Through JSIG you have access to our team of experts with deep technical knowledge, here to help you every step of the way