A Data Protection Officer (“DPO”) is the person who looks after data protection compliance within an organisation.

What is a DPO? Do we need one?

In this blog we explain what a DPO is, whether you need one, who you should appoint as one and more.

What is a Data Protection Officer?

A Data Protection Officer is a person formally appointed by your organisation to lead data protection compliance. Their obligations may include:

• monitoring internal compliance and advising colleagues on data protection obligations;
• conducting Data Protection Impact Assessments (“DPIAs”) and Legitimate Interest Assessments (“LIAs”); and
• acting as first point of contact for data subjects and the Information Commissioner’s Office (the “ICO”).

This is done by the DPO implementing policies and procedures to manage the processing of personal data. The DPO should also work closely with the persons in your organisation who are responsible for information security as protection of personal data is a key legal responsibility.

Another important role for the DPO is to ensure that your organisation has an effective staff training programme for data protection. The DPO should work with your HR team to ensure that staff receive data protection training which is relevant to their duties and levels of seniority.

How should we choose a DPO?

A Data Protection Officer should be appointed on the basis of their professional qualities. In particular, their experience and knowledge of data protection law. If your organisation carries out particularly complex data processing activities then the expertise of your DPO should reflect this.

Even if your organisation only carries out basic processing of personal data, it is usually a good idea to ensure your Data Protection Officer has some data protection training before they start.

Your DPO can have other responsibilities within your organisation, provided that these do not conflict with the Data Protection Officer’s data protection duties. This means an existing employee can be your DPO. Alternatively, the position of DPO can be outsourced via a service contract to an external individual or organisation.

A single DPO can be appointed for a group of organisations but you must ensure they are still able to perform their tasks effectively. The DPO shouldn’t be placed in a position where they have a conflict of interests between different organisations.

Do we need to have a DPO?

UK GDPR says that you must appoint a Data Protection Officer if:

• you are a public authority (as defined in Section 7 Data Protection Act 2018) or body other than courts acting in their judicial capacity;
• your core activities require large scale, regular and systematic monitoring of individuals (e.g. online behaviour tracking); or
• your core activities consist of large-scale processing of special categories on data or data relating to criminal convictions and offences.

If you do not fall into the above categories then you aren’t legally required to appoint a DPO but it may nevertheless be sensible to do so. Many organisations find it easier to stay on top of data protection compliance once they have appointed a suitably experienced DPO.

Do we need to tell the ICO that we have appointed a Data Protection Officer?

UK GDPR requires you to make public the contact details of your Data Protection Officer and to provide them to the ICO. This enables data subjects, your employees and the ICO to contact the Data Protection Officer when required.

To add a Data Protection Officer to your business you will need a registration number and security number. You can add a DPO by completing the online form on the ICO’s website.

If you do not know your security number then you can email the ICO on dataprotectionfee@ico.org.uk with the subject line “Add a DPO”. In this email you will need to include:

• the registration number of your organisation;
• whether you are required to provide the details of your Data Protection Officer or if you are doing so voluntarily; and
• the name, address, phone number and/or email address of your DPO if they are an individual (e.g. a member of staff) or the name, address, phone number and/or email address of the external organisation that will be carrying out the Data Protection Officer duties on your behalf.

If you have any queries relating to this blog or Data Protection Officers in general, please contact Ryan Mitchell.