The subject of data protection has come into the limelight recently, especially following an increase in the number of data breaches being reported and the enforcement date of the General Data Protection Regulation (GDPR) passing.
With this extra focus on data protection, many organisations are left asking questions about their responsibilities toward it, especially over topics such as if they need to assign a Data Protection Officer (DPO).
What is a DPO?
A DPO is an experienced and independent expert who advises an organisation on data protection matters, regulations and law. They should be used to and comfortable with working in positions that are situated quite high within an organisation in that they must report directly to senior management.
Although there are no specific requirements for the type of qualifications that a DPO must hold, the types and complexity of the data an organisation processes/stores is a vital consideration. This is because it will determine the level of protection required to protect that data and subsequently the experience and knowledge a DPO needs to advise an organisation accurately.
It is also advantageous for a DPO to be familiar with the industry they are working in so that they are aware of the specific data protection challenges within that sector.
DPOs can cover a group of companies, providing they can perform their duties effectively across the group, and they can even be contracted in from external companies if this is appropriate for your business (e.g. smaller businesses).
What responsibilities does a DPO have?
While the specific responsibilities of a DPO will change depending on the requirements of the company, their key purpose is to be responsible for the protection and privacy of data within a business for all activities involved in processing personal data. This includes keeping up with new or changing data protection laws and regulations.
A DPO will be heavily involved in and responsible for setting out and implementing an organisation's data protection strategy. They are responsible for ensuring compliance with any data protection laws or regulations that may be applicable including performing Internal Audits and Data Protection Impact Assessments (DPIA) to measure compliance.
DPOs are also responsible for raising awareness and training employees on data protection matters to ensure they are contributing to the organisation's compliance.
Where a supervisory authority is involved, such as the Information Commissioner's Office (ICO), the DPO would be excepted to cooperate and liaise with them, especially if there is a data breach within the organisation.
Risk is an important consideration for a DPO and must be factored in to all of their activities and the advice they give. Activities with a higher risk, such as those that occur frequently or have a severe impact on the business or individual on whom the data is held, should be dealt with as a priority over those with a lesser risk.
Does my organisation need a DPO?
If you are operating within the EU or the UK, or holding/processing data for EU citizens, then under the GDPR you must assign a DPO if:
- Your organisation is a public authority
- Your organisation's activities involve regular, large scale monitoring of individuals
- Your organisation is involved in the large scale processing of sensitive data such as that involved in criminal convictions
Other than the above, it is not a requirement for you to assign a DPO. You are free to assign on if you wish, but then you must follow the requirements of the GDPR as if their assignment had been mandatory.
If you decide not to assign a DPO, it is advisable for you to record this and describe the reasoning behind your decision so that you can explain this to interested parties.
Where can I find out more about DPOs?
(please note that these guides are describing the DPO role specifically in relation to the GDPR)