Search

Services

VIEW ALL ()

Resources

VIEW ALL ()

Key Contacts

MEET THE TEAM

Key Contacts

MEET THE TEAM

Search

Want to see all Business Services in one place?

View all Business Services

Want to see all Life Services in one place?

View all Life Services

Want to see all Charity Education in one place?

View all Charity Education

Not sure where to start? Just want to talk to us?

Get in touch

charity & education Services

charity & education

your business Services

your business

your life Services

your life

About Us

 

Charity Law

 

Education Law

 

Banking and Finance

 

Commercial

 

Commercial Mediation

 

Commercial Property

 

Construction

 

Corporate

 

Corporate Restructuring & Insolvency

 

Debt Collection & Asset Recovery

 

Disputes

 

Employment

 

Immigration

 

Intellectual Property

 

Notarial

 

Planning

 

Regulations & Compliance

 

Agricultural Land and Estates

 

Employment

 

Family Law

 

Family Mediation

 

Immigration

 

Notary Public

 

Personal Data

 

Personal Disputes

 

Personal Insolvency

 

Residential Property

 

Safeguarding Vulnerable People

 

Succession Planning

 

Wills, Trusts & Estates

CLOSE
See how we support our local communities

Southampton 023 8048 2482

Winchester 01962 679 777

Ryan Mitchell | 5th January 2022

Data Protection Officer (DPO) : 4 key questions answered

SHARE

Ryan Mitchell | 5th January 2022

Data Protection Officer (DPO) : 4 key questions answered

A Data Protection Officer (“DPO”) is the person who looks after data protection compliance within an organisation.

What is a DPO? Do we need one?

In this blog we explain what a DPO is, whether you need one, who you should appoint as one and more.

What is a Data Protection Officer?

A Data Protection Officer is a person formally appointed by your organisation to lead data protection compliance. Their obligations may include:

  • monitoring internal compliance and advising colleagues on data protection obligations;
  • conducting Data Protection Impact Assessments (“DPIAs”) and Legitimate Interest Assessments (“LIAs”); and
  • acting as first point of contact for data subjects and the Information Commissioner’s Office (the “ICO”).

This is done by the DPO implementing policies and procedures to manage the processing of personal data. The DPO should also work closely with the persons in your organisation who are responsible for information security as protection of personal data is a key legal responsibility.

Another important role for the DPO is to ensure that your organisation has an effective staff training programme for data protection. The DPO should work with your HR team to ensure that staff receive data protection training which is relevant to their duties and levels of seniority.

How should we choose a DPO?

A Data Protection Officer should be appointed on the basis of their professional qualities. In particular, their experience and knowledge of data protection law. If your organisation carries out particularly complex data processing activities then the expertise of your DPO should reflect this.

Even if your organisation only carries out basic processing of personal data, it is usually a good idea to ensure your Data Protection Officer has some data protection training before they start.

Your DPO can have other responsibilities within your organisation, provided that these do not conflict with the Data Protection Officer’s data protection duties. This means an existing employee can be your DPO. Alternatively, the position of DPO can be outsourced via a service contract to an external individual or organisation.

A single DPO can be appointed for a group of organisations but you must ensure they are still able to perform their tasks effectively. The DPO shouldn’t be placed in a position where they have a conflict of interests between different organisations.

Do we need to have a DPO?

UK GDPR says that you must appoint a Data Protection Officer if:

  • you are a public authority (as defined in Section 7 Data Protection Act 2018) or body other than courts acting in their judicial capacity;
  • your core activities require large scale, regular and systematic monitoring of individuals (e.g. online behaviour tracking); or
  • your core activities consist of large-scale processing of special categories on data or data relating to criminal convictions and offences.

If you do not fall into the above categories then you aren’t legally required to appoint a DPO but it may nevertheless be sensible to do so. Many organisations find it easier to stay on top of data protection compliance once they have appointed a suitably experienced DPO.

Do we need to tell the ICO that we have appointed a Data Protection Officer?

UK GDPR requires you to make public the contact details of your Data Protection Officer and to provide them to the ICO. This enables data subjects, your employees and the ICO to contact the Data Protection Officer when required.

To add a Data Protection Officer to your business you will need a registration number and security number. You can add a DPO by completing the online form on the ICO’s website.

If you do not know your security number then you can email the ICO on dataprotectionfee@ico.org.uk with the subject line “Add a DPO”. In this email you will need to include:

  • the registration number of your organisation;
  • whether you are required to provide the details of your Data Protection Officer or if you are doing so voluntarily; and
  • the name, address, phone number and/or email address of your DPO if they are an individual (e.g. a member of staff) or the name, address, phone number and/or email address of the external organisation that will be carrying out the Data Protection Officer duties on your behalf.

If you have any queries relating to this blog or Data Protection Officers in general, please contact Ryan Mitchell.

Southampton: 023 8160 0702

Winchester: 01926 941 021

Search
Phone
Enquiry
Menu
CLOSE close
CLOSE