The UK General Data
Protection Regulation (GDPR) introduces a duty for companies to appoint a Data Protection
Officer (DPO) if they are a public authority or body, or if they carry out
certain types of processing activities such as the monitoring of data relating
to criminal convictions and offences, finance data, data relating to children and
hospital health data sets and the monitoring of any other large-scale data sets.
- DPO’s assist to monitor internal compliance, inform, and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
- The DPO must be independent (meaning there should be no penalty or conflict in allowing them to perform their tasks in protecting personal data), an expert in data protection, adequately resourced, is given independence to perform their tasks and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
- In some cases, several organisations can appoint a single DPO between them.
- DPOs can help demonstrate compliance and are part of the enhanced focus on accountability.
- If you are not required to appoint a DPO under UK GDPR but you choose to the same duties and responsibilities apply and they should be supported to the same standards.
The main responsibilities of a Data Protection Officer
- Monitor Compliance with GDPR and other relevant data protection laws, provides data protection policies, conducts awareness raising, training and audits.
- Will advice senior management on obligations.
- Carry out Data Protection Impact Assessments (DPIA’s).
- Acts as a first point of contact and must cooperate with the Information Commissioners Office (ICO).
- Has a high-regards for risk associated with processing operations, taking into account the nature, scope, context and purpose of the processing.
- Must be an easily accessible point of contact for individuals, employees and the ICO.
You should appoint a DPO based their professional
qualifications and knowledge of data protection law. Credentials aren’t
specified but should be appropriate and proportionate to the risk involved and
complexity of the processing activity taking place to provide effective
oversite. Industry sector knowledge is always an advantage.
Tim Morris - Director
DPO’s can do other tasks as long as they don’t end up managing competing objectives that may provide any conflict to their considering data protection objectives first. They can be hired as a permanent member of staff or as a contractor, however the same rules apply with regards to accessibility.
A company must provide adequate resources (time,
finance, infrastructure and in some cases staff) to enable the DPO to meet their
UK GDPR obligations and maintain their knowledge.
If a company decides not to take their advice any
objections must be noted in writing for future scrutiny.
The DPO is not personally responsible for data law compliance
but plays a crucial role in helping companies fulfil obligations for data
to find out more.
Looking to hire a Data Protection Officer?
Please upload your requirement here and our consultant team will be in touch.