Do I need a DPO (Data Protection Officer)?

The GDPR was enacted into UK law as the Data Protection Act 2018. It requires organisations to designate a Data Protection Officer (DPO) if they:

  • Are a public body (except parish councils in the UK) or
  • Process data on a ‘large scale’ or
  • Use data to “regularly and systematically” monitor individuals

Whilst not necessarily a full-time role, DPOs do require specialist data protection expertise. The Information Commissioner’s Office (ICO) power to impose significant financial penalties and the danger of reputational damage from failing to protect personal data means the role is increasingly important.

Enquire now

This page explains which organisations must appoint a DPO.  It outlines the key responsibilities of the role and how they are carried out in practice.

WHAT THE LEGISLATION REQUIRES OF DATA PROTECTION OFFICERS

Responsibilities

The DPO should:

tick
Keep the organisation informed and advised about data protection
tick
Monitor the organisation’s compliance with the legislation
tick
Make sure personal data protection is considered ‘by-design’ in new processes and technologies
tick
Co-operate with and act as the contact point with the ICO or other supervisory authorities

The Person and the Position

The DPO should:

tick
Have expert knowledge of data protection law and practices.
tick
Report to the highest management level
tick
Avoid conflicts of interest with any other role they perform in the organisation

DPOs can be members of staff or a 3rd party retained on a service contract

staff looking at computer

WHAT DATA PROTECTION OFFICERS DO IN PRACTICE

DPOs should champion data protection in the organisation – this means they should:

Inform and advise

tick
Facilitate staff training including board members, managers and data facing staff
tick
Share best practice for data protection across the organisation
tick
Advise on the impact of other data protection regulations
tick
Answer queries on all aspects of personal data protection

Ensure individuals can exercise their rights to:

tick
Request access to their data using a Data Subject Access Request (DSAR)
tick
Be informed about processing
tick
Be forgotten
tick
Rectify incorrect data
tick
Restrict processing
tick
Port their data elsewhere
tick
Object to processing, automated decision-making and profiling

Review and update policies

tick
Keep policies up to date with data protection requirements

  • Privacy and cookie policy
  • Consent forms
  • General data protection policy
  • Retention policy
  • Employee policies etc.

Oversee evaluation of new and high risk processes

tick
Privacy by design
tick
Data protection and privacy impact assessments (DPIAs and PIAs)

Oversee sharing of personal data

tick
Ensure appropriate agreements are in place and monitor compliance including:

  • Data Sharing Agreements
  • Data Processor Agreements

Manage and oversee communication

tick
Be the named point of contact with the ICO and other European supervisory authorities
tick
Oversee and monitor responses to DSARs

Monitor, report and demonstrate accountability

tick
Ensure all compliance records are maintained including:

  • Records of Processing Activity (RoPA)
  • Data asset register
  • Breach register
  • Risk register
  • Log of individuals’ exercised rights
  • Supervisory authority contact records
  • Training record

tick
Report to senior management on how risk and compliance is evolving

In addition to our outsourced data protection services we also offer a wide range of complementary data protection consultancy services.

ENQUIRE TODAY

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call