Who needs a Data Protection Officer?

Linkedin reports DPO role one of fastest emerging jobs !

No doubt the demand to fill these positions is on the up, as organisations awareness of the legal requirement increases or in response to expectations of their market place. 

So do you legally need a DPO ? 

The legal requirements to appoint a DPO exists in the following cases:

  • You are a public authority or body
  • Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

Whilst the first two criteria are easily recognised, the criteria of ‘Large scale processing of special categories of data’ remains a grey area. Applying some simple rational, if your every day data processing activities evolve largely around collecting, generating storing, using or disposing of ‘Special category’ data; then you would be advised to appoint a DPO. 

Follow link for ‘Special Category’ definition 

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-is-special-category-data/#scd1

Can i appoint one anyway ?

Yes you can !   Many organisations do just that, as a means of demonstrating to their stakeholders how importantly they view data protection or feel it is an expectation of their sector. 

**Note in both cases your appointed DPO must be registered with the ICO.  

What if we don’t have a DPO ? 

Responsibility for compliance with Data Protection law, within all organisations; rests with the Directors of that organisation. Therefore a senior person should be appointed responsible, regardless of legal requirements for a DPO. It is also required that the nominated person or DPO is identified in Privacy communications and contactable by data subjects (including staff) wishing to exercise their rights.  

What qualification is required of a DPO ? 

A recent blog (Linkedin 31.01.20) by the ICO listed the  following criteria:

  • must be independent 
  • expert in data protection
  • adequately resourced 
  • reports directly to the highest management level 

This is often where organisations struggle and make mistakes – appointing an internal resource who’s independence would be questionable or someone with little or no previous experience in the subject. 

Can an external resource be hired as DPO ?

Yes, they can and it is often the best way of ensuring complete independence from those shaping policy and/or determining expenditure for data protection. It is also a more economical  means of engaging someone with the right level of competence for the role.  

It is also acceptable for organisations to share a DPO; which could offer further savings on the cost of making the appointment. 

Need Support ? 

If you require assistance in determining your position in respect to appointment of a DPO or would be interested in a DPO service, then please contact: 

martin@aversus.co.uk

Share this post on LinkedIn

Related News

Coronavirus – Homeworking ?

Switching staff to Homeworking?   In response to the Government guidance on Coronavirus, many staff are now working at home. Homeworking needs to be clearly thought

Read More »