The DPO (data protection officer) role under the GDPR
What is a data protection officer?
The DPO role was introduced by the EU’s GDPR (General Data Protection Regulation). Among other things, DPOs are responsible for monitoring an organisation’s compliance, informing and advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority. In the UK, this is the ICO (Information Commissioner’s Office).
Although all UK organisations have to comply with the GDPR, not every organisation is required to appoint a DPO. Organisations must assess whether they need to appoint one, and if so, who they should give that responsibility to. There are some legal requirements that must be met, such as no conflicts of interest, which can prove challenging.
If you’re unsure about the process of appointing a DPO, or need advice to determine whether your organisation needs one, get in touch with one of our GDPR experts today.
Speak to an expert
The DPO’s role and responsibilities
The DPO’s tasks
The DPO reports directly to “the highest management level” in the organisation, and has the following specific tasks under the GDPR:
- Informing and advising the organisation and its employees of their data protection obligations under the GDPR.
- Monitoring the organisation’s compliance with the GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training of staff involved in processing operations and related audits.
- Advising on whether a DPIA (data protection impact assessment) is necessary, how to conduct one and expected outcomes.
- Serving as the contact point for the supervisory authority on all data protection issues, including data breach reporting.
- Serving as the contact point for data subjects on privacy matters, including DSARs (data subject access requests).
Do I need to appoint a DPO?
The appointment of a DPO under the GDPR is only mandatory in three situations:
- When the organisation is a public authority or body.
- When the organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- When the organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
SMEs (small and medium-sized enterprises) are not exempt from the DPO requirement, should any or all of the above situations apply to them. This has been reaffirmed by the ICO: “I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.” Peter Brown, Senior Technology Officer, ICO
The GDPR permits member states to specify other circumstances in which a DPO must be appointed. Data protection laws in Germany, for example, require every organisation with ten or more employees that permanently process personal data to appoint a DPO.
Even where the GDPR does not specifically require a DPO to be appointed, it is highly encouraged by the WP29 (Article 29 Working Party) as a matter of good practice and to demonstrate compliance with the Regulation. This is where organisations can consider a data privacy management alternative.
Need extra data protection expertise? Discover our pay-by-hour Data Privacy Manager Service (GDPR) >>
Do I have to appoint a DPO internally?
The GDPR allows organisations to choose whether to appoint an internal or external DPO. The DPO may be a permanent member of staff (internal DPO) or acting under a service contract (external DPO). Either way, a DPO must be given the necessary resources to be able to fulfil their tasks. Similarly, you need to consider the level of support your DPO may need to adequately carry out their duties.
With a shortage of individuals trained to handle the specific DPO responsibilities, outsourcing these tasks and duties can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities.
Whatever the decision, IT Governance can help your organisation fulfil the DPO role with outsourced solutions, training for internal development and support services.
Learn more about DPO as a service >>
Key considerations for the DPO role
What are the legal requirements of the DPO role?
The GDPR requires that the DPO operates independently and without instruction from their employer over the way they carry out their DPO tasks. This includes instructions on what result should be achieved, how to investigate a complaint or whether to consult the regulatory authority. Nor can organisations tell their DPO how to interpret data protection law.
Although the GDPR allows DPOs to “fulfil other tasks and duties”, organisations are obliged to ensure that these do not result in a “conflict of interests” with the DPO duties. Most senior positions within an organisation are likely to cause a conflict (e.g. CEO, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of HR or head of IT).
What qualifications does a DPO need?
The GDPR does not specify the precise credentials a DPO must have. However, the WP29 published guidelines defining minimum requirements regarding the DPO’s expertise and skills:
- Level of expertise – an understanding of how to build, implement and manage data protection programmes is essential. The more complex or high-risk the data processing activities are, the greater the expertise the DPO will need.
- Professional qualities – DPOs do not have to be qualified lawyers, but they must have expertise in national and European data protection law, including an in-depth knowledge of the GDPR. DPOs must also have a reasonable understanding of what technical and organisational measures the organisation has in place, and be familiar with information technologies and data security.
In the case of a public authority or body, the DPO should have sound knowledge of its administrative rules and procedures.
Certified GDPR training for the DPO role
Our ISO 17024-certificated GDPR training courses offer a structured learning path to equip data protection and information security professionals, as well as individuals who lack data protection expertise and experience, with the specialist knowledge and skills needed to deliver GDPR compliance and fulfil the DPO role.
Learn more about the GDPR training options >>
Free webinar: Appointing a data protection officer under the GDPR
The demand for experienced data protection professionals is rising, along with the pressure on organisations to comply with the GDPR. The process of appointing a DPO is complicated and finding appropriate guidance can itself prove a challenge. IT Governance’s free webinar discusses the need for a DPO in the context of the GDPR.
Find out more and register >>
DPO support for your organisation
We have a selection of DPO products and services that can support your organisation’s GDPR compliance, whether it is an outsourced solution, complementary support or certified training.
Browse our range of DPO products and services
Speak to a GDPR expert
If you’re unsure about the process of appointing a DPO or need advice to determine whether your organisation needs one, get in touch with our team of GDPR experts. We can help you to determine the best steps forward and advise on which of our services would be best suited to your organisation.