What is a Data Protection Officer and does my business need one?

The Data Protection Officer (DPO) is an individual who ensures that the business (as data controller or processor) complies with the UK GDPR (United Kingdom General Data Protection Regulations). He or she will not become personally liable for breaches and does not need any special qualifications but should have a good experience, knowledge and understanding of data protection requirements so the business can fulfil its obligations.

The larger the organisation and the more data controlled and processed, the more experienced and knowledgeable the DPO should be. The DPO should also really understand the nature of the business so that customer journeys and risks can be better understood.

A DPO need not be full time, but it makes sense for the person discharging that duty not to be conflicted in any way e.g. being in charge of risky marketing.

The DPO should also know that this role includes covering all personal data processing activities.

• The DPO must consider the risk carried by the processing undertaken by the business having regard to “the nature, scope, context and purposes of the processing”.
• More risky activities should be given priority e.g. processing special category data. It follows then that advice should be risk-based.
• If a business decides against following a DPO’s advice, this should be recorded in writing for reference and a reason why.

The Data Protection Officer (DPO) is an individual who ensures that the business (as data controller or processor) complies with the UK GDPR (United Kingdom General Data Protection Regulations. He or she will not become personally liable for breaches and does not need any special qualifications but should have a good experience, knowledge and understanding of data protection requirements so the business can fulfil its obligations.

The larger the organisation and the more data controlled and processed, the more experienced and knowledgeable the DPO should be. The DPO should also really understand the nature of the business so that customer journeys and risks can be better understood.

A DPO need not be full time, but it makes sense for the person discharging that duty not to be conflicted in any way e.g. being in charge of risky marketing.

For guidance on whether or not your business requires a DPO, the ICO has created a helpful online tool: https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo

If your business is borderline as to whether or not a DPO should be appointed and you decide not to appoint, it is a good idea to record this in writing.

Is a Data Protection Officer mandatory?

It is compulsory to appoint a DPO under the UK GDPR, where the business is;

• A Public Authority (other than Courts); or,
• Performing large scale, regular and systematic processing or controlling of individuals’ data such as online behaviour tracking; or
• Performing large scale, regular and systematic processing or controlling of individuals’ special category data such as medical or data relating to criminal convictions and offences.

What are the legal responsibilities of a data protection officer?

• As explained above a DPO needs to inform and advise the business and its staff on all aspects of data protection;
• The DPO needs to check compliance of the activities of the business, eg. review its website, policies, and marketing activities.
• The DPO should look what might happen if there was a breach and gauge the consequences and check with IT that the database is safe and secure;
• The DPO needs to comply with subject access requests, enquiries, complaints, registrations and notifications, and of course communicate with the Information Commissioner if required to do so.