Circle White
Back to news

GDPR and the role of Data Protection Officer

Do you need to have a Data Protection Officer in your company? If you don't, there are still obligations you must fulfill and not doing so can cause issues.
Banner Image

The UK General Data Protection Regulation (GDPR) introduces a duty for companies to appoint a Data Protection Officer (DPO) if they are a public authority or body, or if they carry out certain types of processing activities such as the monitoring of data relating to criminal convictions and offences, finance data, data relating to children and hospital health data sets and the monitoring of any other large-scale data sets.

  • DPO’s assist to monitor internal compliance, inform, and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO). 
  • The DPO must be independent (meaning there should be no penalty or conflict in allowing them to perform their tasks in protecting personal data), an expert in data protection, adequately resourced, is given independence to perform their tasks and report to the highest management level.
  • A DPO can be an existing employee or externally appointed.
  • In some cases, several organisations can appoint a single DPO between them.
  • DPOs can help demonstrate compliance and are part of the enhanced focus on accountability.
  • If you are not required to appoint a DPO under UK GDPR but you choose to the same duties and responsibilities apply and they should be supported to the same standards. 

The main responsibilities of a Data Protection Officer

  • Monitor Compliance with GDPR and other relevant data protection laws, provides data protection policies, conducts awareness raising, training and audits.
  • Will advice senior management on obligations.
  • Carry out Data Protection Impact Assessments (DPIA’s).
  • Acts as a first point of contact and must cooperate with the Information Commissioners Office (ICO).
  • Has a high-regards for risk associated with processing operations, taking into account the nature, scope, context and purpose of the processing.
  • Must be an easily accessible point of contact for individuals, employees and the ICO.

You should appoint a DPO based their professional qualifications and knowledge of data protection law. Credentials aren’t specified but should be appropriate and proportionate to the risk involved and complexity of the processing activity taking place to provide effective oversite. Industry sector knowledge is always an advantage. 

Tim Morris - Director

DPO’s can do other tasks as long as they don’t end up managing competing objectives that may provide any conflict to their considering data protection objectives first. They can be hired as a permanent member of staff or as a contractor, however the same rules apply with regards to accessibility.

A company must provide adequate resources (time, finance, infrastructure and in some cases staff) to enable the DPO to meet their UK GDPR obligations and maintain their knowledge.

If a company decides not to take their advice any objections must be noted in writing for future scrutiny. 

The DPO is not personally responsible for data law compliance but plays a crucial role in helping companies fulfil obligations for data protection.

See https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/accountability-and-governance/data-protection-officers/ to find out more. 

circle-blue

Looking to hire a Data Protection Officer?

Please upload your requirement here and our consultant team will be in touch.      

DOC, .DOCX or .PDF

Background 2 Image

Keep up to date

Sign up to our newsletter to get our latest news and job alerts.