Do I need a DPO (Data Protection Officer)?
The GDPR was enacted into UK law as the Data Protection Act 2018. It requires organisations to designate a Data Protection Officer (DPO) if they:
- Are a public body (except parish councils in the UK) or
- Process data on a ‘large scale’ or
- Use data to “regularly and systematically” monitor individuals
Whilst not necessarily a full-time role, DPOs do require specialist data protection expertise. The Information Commissioner’s Office (ICO) power to impose significant financial penalties and the danger of reputational damage from failing to protect personal data means the role is increasingly important.
This page explains which organisations must appoint a DPO. It outlines the key responsibilities of the role and how they are carried out in practice.
WHAT THE LEGISLATION REQUIRES OF DATA PROTECTION OFFICERS
The DPO should:
The Person and the Position
The DPO should:
DPOs can be members of staff or a 3rd party retained on a service contract
WHAT DATA PROTECTION OFFICERS DO IN PRACTICE
DPOs should champion data protection in the organisation – this means they should:
Inform and advise
Ensure individuals can exercise their rights to:
Review and update policies
- Consent forms
- General data protection policy
- Retention policy
- Employee policies etc.
Oversee evaluation of new and high risk processes
Oversee sharing of personal data
- Data Sharing Agreements
- Data Processor Agreements
Manage and oversee communication
Monitor, report and demonstrate accountability
- Records of Processing Activity (RoPA)
- Data asset register
- Breach register
- Risk register
- Log of individuals’ exercised rights
- Supervisory authority contact records
- Training record
In addition to our outsourced data protection services we also offer a wide range of complementary data protection consultancy services.
Fill in your details below and we’ll get back to you as soon as possible