View Blog

What is a Data Protection Officer and does my business need one?

“What is a DPO? The Data Protection Officer is an individual who ensures that the business complies with UK GDPR law.”

John Davies
Everyday Legal, Co-founder and Legal Expert

The CEO meets the Data Protection Officer

What is a Data Protection Officer?

The Data Protection Officer (DPO) is an individual who ensures that the business (as data controller or processor) complies with the UK GDPR (United Kingdom General Data Protection Regulations). He or she will not become personally liable for breaches and does not need any special qualifications but should have a good experience, knowledge and understanding of data protection requirements so the business can fulfil its obligations.

The larger the organisation and the more data controlled and processed, the more experienced and knowledgeable the DPO should be. The DPO should also really understand the nature of the business so that customer journeys and risks can be better understood.

A DPO need not be full time, but it makes sense for the person discharging that duty not to be conflicted in any way e.g. being in charge of risky marketing.

What does a Data Protection Officer do?

The company Data Protection Officer explains GDPR

The DPO’s tasks are defined in the regulations as:

to inform and advise the business and its employees about their obligations to comply with the UK GDPR and other data protection laws;
to monitor compliance with the UK GDPR and other data protection laws, and with the data protection policies of the business, including managing internal data protection activities; raising awareness of data protection issues, training staff, and conducting internal audits;
to advise on, and to monitor, data protection impact assessments;
to cooperate with the ICO; and
to be the first point of contact for the ICO and for individuals whose data is processed (employees, customers etc).

The DPO should also know that this role includes covering all personal data processing activities.

The DPO must consider the risk carried by the processing undertaken by the business having regard to “the nature, scope, context and purposes of the processing”.
More risky activities should be given priority e.g. processing special category data. It follows then that advice should be risk-based.
If a business decides against following a DPO’s advice, this should be recorded in writing for reference and a reason why.

What is a Data Protection Officer?

The Data Protection Officer (DPO) is an individual who ensures that the business (as data controller or processor) complies with the UK GDPR (United Kingdom General Data Protection Regulations. He or she will not become personally liable for breaches and does not need any special qualifications but should have a good experience, knowledge and understanding of data protection requirements so the business can fulfil its obligations.

A DPO need not be full time, but it makes sense for the person discharging that duty not to be conflicted in any way e.g. being in charge of risky marketing.

Does my business need a Data Protection Officer?

For small businesses, it is less likely you will need a DPO, but you can appoint someone into such a position on a voluntary basis, and it really is good practice. However, should you choose to appoint a DPO, the above duties equally apply where a business voluntarily appoints a DPO - so think carefully about the benefits versus the additional burden that comes with the role.

Please note that whether or not a business is required to appoint a DPO, it must have sufficient staff and resources to carry out its obligations under the UK GDPR. However, a DPO should be able to facilitate this and to assist with compliance. It certainly would be good for governance and accountability.

Data Protection And Data Security Policy

Reveal Template Description

Data Protection And Data Security Policy
A 'business data protection and data security policy' document for your organisational HR and employee needs.

Social Media Policy

Reveal Template Description

Social Media Policy
A business social media policy document template for your organisational HR and employee needs.

Website Privacy Policy

Reveal Template Description

Website Privacy Policy
A business website privacy policy document for your online presence, organisational HR and employee needs.

Website Terms And Conditions

Reveal Template Description

Website Terms And Conditions
A 'Website terms and conditions' document. It is considered best practice to install appropriate terms and conditions on your website. If you do collect personal data, you must by law have a compliant privacy policy.

For guidance on whether or not your business requires a DPO, the ICO has created a helpful online tool: https://ico.org.uk/for-organisations/does-my-organisation-need-a-data-protection-officer-dpo

If your business is borderline as to whether or not a DPO should be appointed and you decide not to appoint, it is a good idea to record this in writing.

Is a Data Protection Officer mandatory?

It is compulsory to appoint a DPO under the UK GDPR, where the business is;

A Public Authority (other than Courts); or,
Performing large scale, regular and systematic processing or controlling of individuals’ data such as online behaviour tracking; or
Performing large scale, regular and systematic processing or controlling of individuals’ special category data such as medical or data relating to criminal convictions and offences.

What are the legal responsibilities of a data protection officer?

As explained above a DPO needs to inform and advise the business and its staff on all aspects of data protection;
The DPO needs to check compliance of the activities of the business, eg. review its website, policies, and marketing activities.
The DPO should look what might happen if there was a breach and gauge the consequences and check with IT that the database is safe and secure;
The DPO needs to comply with subject access requests, enquiries, complaints, registrations and notifications, and of course communicate with the Information Commissioner if required to do so.

John Davies
15^th July 2021

Saving you time and money

We hope you enjoy our short informative blogs. We are all about empowering the individual to take better ownership and control of the legal aspects of their personal and business life. We have a plethora of legal document templates that are quick and easy to explore and create. What's more, creation and editing is free. Explore our templates here

“Discover 7 essential facts you need to know about creating a power of attorney”

Learn More

“Redundancy happens when a business has to dismiss an employee because it no longer needs someone to fulfil that role.”

Learn More

“How to make a valid DIY will. There are many reasons why someone should make a will and very few reasons not to.”

Learn More

2021

March

What is a promissory note and what can it be used for?

How do I go about a Change of Name legally?

What is a Shareholders Agreement?

February

What is a Settlement Agreement?

Things you should know about Flexible Working Requests

5 things to consider regarding Health & Safety, Discrimination, Employment and the Covid 19 Vaccine

With Redundancies at Record Levels are Businesses Following a Fair Process?

January

Lookout 2021 Caravan and Motorhome Holiday Bookings are Booming

A Guide to the Understanding and Importance of Legal Contracts

After Brexit Transition - What Provisions are needed for Data Transfer?

2020

December

Legal rights for wedding events impacted by Coronavirus

How to witness your Will by video link

November

Everyday Legal In Action - Helping Individuals and Business

Shareholder Disputes - How to Avoid Them

The Smart Entrepreneur - Tips for Startups & Small Businesses

Being a Shrewd Entrepreneur and Setting up a New Business

October

Our Top Customer Needs in Everyday Legal's First 8 Months of Trading

The Top 10 Reasons To Have Excellent Terms & Conditions for Business Success

Top 5 Benefits of Having Good Company Policies Documented

An Expert Guide On Why You Need To Register Your Business' Trademark

10 Top Tips to Save Money On Legal Expenses for Businesses

September

Working from home successfully

Common things to pursue in a Small Claims Court

Here is a list of rental agreements to help you make money

Over 50 and starting a business? You need to consider these contracts, agreements and policies

August

Renting Out Your Motorhome

Our Youngest Billionaire!

UK to Make Will Witnessing Easier

Legal Issues and the Small Business Part III

July

Legal Issues and the Small Business Part II

Legal Issues and the Small Business Part I

Can Business force employees back to work?

Everyday Legal - the first 4 month trading

June

Flexible Working Part 2

Flexible Working Part 1

The Crucial Documents Every Small Business Should Have.

Should I Care About Governance In My Small Business?

May

Working with Data Protection - Part 2

Working with Data Protection - Part 1

Should a Contractor use an Agency?

Working for Yourself (Part 3)

New Whiplash laws & procedures

Working for Yourself (Part 2)

April

Working for Yourself (Part 1)

Fancy a change of name?

How to safely witness your Will

Can Employers change contract terms?

March

Have You Made a Will Yet?

Health & Safety Tips for the Small Business

Working from Home

The Value of Policies and Procedures

The Importance of a Non-Disclosure Agreement

The Bank of Mum and Dad

Registering a TradeMark

Blue Passports are back

IR35 and Off-Payroll Tax

February

How to leave Cryptocurrency in your will

Why Use a Contract

Building our Website - Tech Blog 1

Life After Brexit - Consequences for you

Urgent Brexit Message from HMRC

January

A Cookie ticks so many boxes

2019

December

No Deal Brexit. What are the Data transfer concerns