Why you need a Data Protection Officer

The GDPR was enacted into UK law as the Data Protection Act 2018. It requires organisations to designate a Data Protection Officer (DPO) if they:

  • Are a public body (except parish councils in the UK) or
  • Process data on a ‘large scale’ or
  • Use data to “regularly and systematically” monitor individuals

Whilst not necessarily a full time role, DPOs do require specialist data protection expertise. The Information Commissioner’s Office (ICO) power to impose significant financial penalties and the danger of reputational damage from failing to protect personal data means the role is increasingly important.

This page explains which organisations must appoint a DPO.  It outlines the key responsibilities of the role and how they are carried out in practice.

WHAT THE LEGISLATION REQUIRES OF DATA PROTECTION OFFICERS

Responsibilities

The DPO should:

ok2
Keep the organisation informed and advised about data protection
ok2
Monitor the organisation’s compliance with the legislation
ok2
Make sure personal data protection is considered ‘by-design’ in new processes and technologies
ok2
Co-operate with and act as the contact point with the ICO or other supervisory authorities

The Person and the Position

The DPO should:

ok2
Have expert knowledge of data protection law and practices.
ok2
Report to the highest management level
ok2
Avoid conflicts of interest with any other role they perform in the organisation

DPOs can be members of staff or a 3rd party retained on a service contract

Young architects working on project in office together

WHAT DATA PROTECTION OFFICERS DO IN PRACTICE

DPOs should champion data protection in the organisation – this means they should:

Inform and advise

ok2
Facilitate staff training including board members, managers and data facing staff
ok2
Share best practice for data protection across the organisation
ok2
Advise on the impact of other data protection regulations
ok2
Answer queries on all aspects of personal data protection

Ensure individuals can exercise their rights to:

ok2
Request access to their data using a Data Subject Access Request (DSAR)
ok2
Be informed about processing
ok2
Be forgotten
ok2
Rectify incorrect data
ok2
Restrict processing
ok2
Port their data elsewhere
ok2
Object to processing, automated decision-making and profiling

Review and update policies

ok2
Keep policies up-to-date with data protection requirements

  • Privacy and cookie policy
  • Consent forms
  • General data protection policy
  • Retention policy
  • Employee policies etc.

Oversee evaluation of new and high risk processes

ok2
Privacy by design
ok2
Data protection and privacy impact assessments (DPIAs and PIAs)

Oversee sharing of personal data

ok2
Ensure appropriate agreements are in place and monitor compliance including:

  • Data Sharing Agreements
  • Data Processor Agreements

Manage and oversee communication

ok2
Be the named point of contact with the ICO and other European supervisory authorities
ok2
Oversee and monitor responses to DSARs

Monitor, report and demonstrate accountability

ok2
Ensure all compliance records are maintained including:

  • Records of Processing Activity (RoPA)
  • Data asset register
  • Breach register
  • Risk register
  • Log of individuals’ exercised rights
  • Supervisory authority contact records
  • Training record

ok2
Report to senior management on how risk and compliance is evolving

If you would like to speak to us about any of our Data Protection consultancy services

 

Contact Us

Change your cookie consent