A Data Protection Officer (“DPO”) is the person who looks after data protection compliance within an organisation.
In this blog we explain what a DPO is, whether you need one, who you should appoint as one and more.
A Data Protection Officer is a person formally appointed by your organisation to lead data protection compliance. Their obligations may include:
This is done by the DPO implementing policies and procedures to manage the processing of personal data. The DPO should also work closely with the persons in your organisation who are responsible for information security as protection of personal data is a key legal responsibility.
Another important role for the DPO is to ensure that your organisation has an effective staff training programme for data protection. The DPO should work with your HR team to ensure that staff receive data protection training which is relevant to their duties and levels of seniority.
A Data Protection Officer should be appointed on the basis of their professional qualities. In particular, their experience and knowledge of data protection law. If your organisation carries out particularly complex data processing activities then the expertise of your DPO should reflect this.
Even if your organisation only carries out basic processing of personal data, it is usually a good idea to ensure your Data Protection Officer has some data protection training before they start.
Your DPO can have other responsibilities within your organisation, provided that these do not conflict with the Data Protection Officer’s data protection duties. This means an existing employee can be your DPO. Alternatively, the position of DPO can be outsourced via a service contract to an external individual or organisation.
A single DPO can be appointed for a group of organisations but you must ensure they are still able to perform their tasks effectively. The DPO shouldn’t be placed in a position where they have a conflict of interests between different organisations.
UK GDPR says that you must appoint a Data Protection Officer if:
If you do not fall into the above categories then you aren’t legally required to appoint a DPO but it may nevertheless be sensible to do so. Many organisations find it easier to stay on top of data protection compliance once they have appointed a suitably experienced DPO.
UK GDPR requires you to make public the contact details of your Data Protection Officer and to provide them to the ICO. This enables data subjects, your employees and the ICO to contact the Data Protection Officer when required.
To add a Data Protection Officer to your business you will need a registration number and security number. You can add a DPO by completing the online form on the ICO’s website.
If you do not know your security number then you can email the ICO on email@example.com with the subject line “Add a DPO”. In this email you will need to include:
If you have any queries relating to this blog or Data Protection Officers in general, please contact Ryan Mitchell.