Do small organisations need to appoint a DPO?

Small organisations often try to claim exemption from the EU’s GDPR (General Data Protection Regulation) based on their size. In most cases this is in vain, but there is one requirement where they might be justified: the appointment of a DPO (data protection officer).

A DPO is an independent expert tasked with overseeing an organisation’s data protection practices.

Organisations within the Regulation’s scope are required to appoint a DPO if they:

  • Are a public authority or body;
  • Regularly and systematically monitor data subjects; or
  • Process special categories of data on a large scale.

There will be plenty of SMEs (small and medium-sized enterprises) that don’t fit into any of these categories, so they aren’t required to appoint a DPO. But doesn’t mean they shouldn’t. There are many benefits to having a DPO, and in 2017, the WP29 (Article 29 Working Party) recommended that all organisations appoint one as a matter of best practice.

What a DPO does

A DPO is responsible for monitoring an organisation’s application of the GDPR and ensuring that it remains compliant. This includes:

  • Advising staff on their data protection responsibilities;
  • Monitoring the organisation’s data protection policies and procedures;
  • Advising management on the necessity of DPIAs (data protection impact assessments);
  • Serving as the point of contact between the organisation and its supervisory authority regarding data protection issues; and
  • Serving as the point of contact for individuals on privacy matters, such as DSARs (data subject access requests).

A full list of the DPO’s responsibilities are outlined in Article 39 of the GDPR.

The potential penalties for breaching the GDPR are severe, so it will be incredibly beneficial to have someone keeping a close eye on your practices and alerting you to vulnerabilities.

Where to find a DPO

Finding a suitable DPO is arguably one of the biggest challenges of the GDPR. The role doesn’t necessarily need to be filled by a qualified lawyer, but a DPO must have a good understanding of data protection law and the GDPR in particular. They also need to be familiar with information security technology as well as how to implement and manage data protection programmes.

A DPO must possess strong communication skills, as they will be interacting regularly with senior management and an organisation’s regular employees.

Fortunately, the GDPR gives organisations several options for finding someone who meets all these requirements. First, organisations can fill the role internally, with the employee either focusing exclusively on their DPO responsibilities or performing the necessary tasks alongside their existing role (provided there is no conflict of interest between the two positions).

Alternatively, organisations can outsource the role, sharing a DPO with other businesses. This is ideal for SMEs, as their data processing activities probably aren’t substantial enough to require a full-time DPO.

DPO as a service

Organisations interested in outsourcing the DPO role should consider IT Governance’s DPO as a service. One of our data protection experts will act as a remote DPO, working with you to understand your organisation and its compliance requirements. They’ll complete the necessary tasks and provide you with guidance whenever you need it.

We offer a specialist DPO service for schools and healthcare organisations.

Find out more >>

Speak to an expert >>