Under the GDPR (General Data Protection Regulation), a DPO (data protection officer) must be appointed by all public bodies and organisations whose core-activities include:
- Regular large-scale monitoring of data subjects; or
- Processing large amounts of special categories of data.
ICO (Information Commissioner’s Office) guidance says that DPOs must be “independent, an expert in data protection, adequately resourced, and report to the highest management level.”
The GDPR requires that a DPO operates independently and without instruction from their employer over the way they carry out tasks, as well as being free from any conflicts of interest. An employer should not provide guidance on how to investigate complaints, what results should be achieved or how to interpret data protection law.
Although the DPO can fulfil other tasks and duties, they must ensure that there are no conflicts of interest between these duties and their DPO role. In practice, this means that the DPO should not determine the purpose or manner for processing data in their other duties. Additionally, a DPO should not face competing objectives, where business objectives could be prioritised over data protection. Most senior management roles will conflict with the DPO role.
Training internal staff
Despite the need for a DPO to be impartial, it is still possible for the role to be filled internally.
Where organisations identify a suitable internal staff member to become the DPO, certain training requirements should be met. The GDPR requires that a DPO has expertise in national and European law, including an in-depth knowledge of the GDPR. The increased scope of the Regulation means DPOs should undertake training in its legal basis and practical implications.
Outsourced DPO services
The DPO role can be outsourced, and there are many options available to organisations looking to take this route. The ICO guidance is that external DPOs should have the same position, tasks and duties as if the role was sourced internally. Appointing a DPO is not a tick-box exercise as the role provides a vital function in ensuring continued data protection and GDPR compliance.
IT Governance is launching a DPO service for healthcare that addresses the requirements faced by organisations that process patient data and the restricted budgets that are often a barrier for the sector. For more information or to discuss the service, contact us >>
Shared DPO services
Organisations and public authorities can share DPO services as long as the DPO is able to perform their tasks effectively. In some cases, the size or scope of the role is such that a single DPO would not be able to split their time.
For primary care organisations, including GPs and pharmacies, sharing a DPO can be a cost-effective way to meet the requirement. In these instances, it is often best to have a designated individual in-house to liaise with the DPO and to perform the less specialised parts of the role, to reduce the time required.