What is a Data Protection Officer and does my business need one?

23 July 2021

The CEO meets the Data Protection Officer

What is a Data Protection Officer?

The Data Protection Officer (DPO) is an individual who ensures that the business (as data controller or processor) complies with the UK GDPR (United Kingdom General Data Protection Regulations). He or she will not become personally liable for breaches and does not need any special qualifications but should have a good experience, knowledge and understanding of data protection requirements so the business can fulfil its obligations.

The larger the organisation and the more data controlled and processed, the more experienced and knowledgeable the DPO should be. The DPO should also really understand the nature of the business so that customer journeys and risks can be better understood.

A DPO need not be full time, but it makes sense for the person discharging that duty not to be conflicted in any way e.g. being in charge of risky marketing.

What does a Data Protection Officer do?

The company Data Protection Officer explains GDPR

The DPO’s tasks are defined in the regulations as:

  • to inform and advise the business and its employees about their obligations to comply with the UK GDPR and other data protection laws;
  • to monitor compliance with the UK GDPR and other data protection laws, and with the data protection policies of the business, including managing internal data protection activities; raising awareness of data protection issues, training staff, and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the ICO; and
  • to be the first point of contact for the ICO and for individuals whose data is processed (employees, customers etc).

The DPO should also know that this role includes covering all personal data processing activities.

  • The DPO must consider the risk carried by the processing undertaken by the business having regard to “the nature, scope, context and purposes of the processing”.
  • More risky activities should be given priority e.g. processing special category data. It follows then that advice should be risk-based.
  • If a business decides against following a DPO’s advice, this should be recorded in writing for reference and a reason why.

What is a Data Protection Officer?

The Data Protection Officer (DPO) is an individual who ensures that the business (as data controller or processor) complies with the UK GDPR (United Kingdom General Data Protection Regulations. He or she will not become personally liable for breaches and does not need any special qualifications but should have a good experience, knowledge and understanding of data protection requirements so the business can fulfil its obligations.

The larger the organisation and the more data controlled and processed, the more experienced and knowledgeable the DPO should be. The DPO should also really understand the nature of the business so that customer journeys and risks can be better understood.

A DPO need not be full time, but it makes sense for the person discharging that duty not to be conflicted in any way e.g. being in charge of risky marketing.

Does my business need a Data Protection Officer?

For small businesses, it is less likely you will need a DPO, but you can appoint someone into such a position on a voluntary basis, and it really is good practice. However, should you choose to appoint a DPO, the above duties equally apply where a business voluntarily appoints a DPO - so think carefully about the benefits versus the additional burden that comes with the role.

Please note that whether or not a business is required to appoint a DPO, it must have sufficient staff and resources to carry out its obligations under the UK GDPR. However, a DPO should be able to facilitate this and to assist with compliance. It certainly would be good for governance and accountability.

Everyday Legal website action icon Data Protection And Data Security Policy
Data Protection And Data Security Policy
A 'business data protection and data security policy' document for your organisational HR and employee needs.
Everyday Legal website action icon Social Media Policy
Social Media Policy
A business social media policy document template for your organisational HR and employee needs.
Everyday Legal website action icon Website Privacy Policy
Website Privacy Policy
A business website privacy policy document for your online presence, organisational HR and employee needs.
Everyday Legal website action icon Website Terms And Conditions
Website Terms And Conditions
A 'Website terms and conditions' document. It is considered best practice to install appropriate terms and conditions on your website. If you do collect personal data, you must by law have a compliant privacy policy.

For guidance on whether or not your business requires a DPO, the ICO has created a helpful online tool: https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo

If your business is borderline as to whether or not a DPO should be appointed and you decide not to appoint, it is a good idea to record this in writing.

Is a Data Protection Officer mandatory?

It is compulsory to appoint a DPO under the UK GDPR, where the business is;

  • A Public Authority (other than Courts); or,
  • Performing large scale, regular and systematic processing or controlling of individuals’ data such as online behaviour tracking; or
  • Performing large scale, regular and systematic processing or controlling of individuals’ special category data such as medical or data relating to criminal convictions and offences.

What are the legal responsibilities of a data protection officer?

  • As explained above a DPO needs to inform and advise the business and its staff on all aspects of data protection;
  • The DPO needs to check compliance of the activities of the business, eg. review its website, policies, and marketing activities.
  • The DPO should look what might happen if there was a breach and gauge the consequences and check with IT that the database is safe and secure;
  • The DPO needs to comply with subject access requests, enquiries, complaints, registrations and notifications, and of course communicate with the Information Commissioner if required to do so.

John Davies
15th July 2021

Saving you time and money

We hope you enjoy our short informative blogs. We are all about empowering the individual to take better ownership and control of the legal aspects of their personal and business life. We have a plethora of legal document templates that are quick and easy to explore and create. What's more, creation and editing is free. Explore our templates here