When do you need a data protection officer?

What is a data protection officer?

Data protection officers help organizations fulfill their regulatory obligations related to the processing and processing of personal data. Considering that organizations face the risk of serious reputational damage when data is not managed securely, the role of DPO is becoming more and more important in today's business environment.

Does my business need a DPO?

Article 37 of the GDPR specifies three areas in which DPOs must be appointed. This applies to data controllers and data processors. If you are a public agency or a public agency, the first one applies. Second, if your business activities include large-scale system monitoring of individuals, such as activity or behavior monitoring, possibly using algorithms for advertising purposes, you will need a DPO. Finally, if your organization conducts large-scale "special category" processing of personal data (according to Article 9 of the GDPR) or processing data related to criminal offenses and convictions, you also need to prove that you have a DPO in employment.

Please note that even if these conditions do not apply to your organization, you are still obligated to provide appropriate personnel and resources to provide your data protection framework. If you decide to appoint a DPO voluntarily, you should be aware that this is the same responsibility that you are required to appoint as a mandatory requirement. In this regard, smaller organizations usually consider using other positions for this role.

What is the responsibility of the DPO?

DPOs have clearly defined responsibilities to help their organizations and their employees understand and comply with GDPR and related data protection obligations. Their typical activities include：

• Provide data protection training

• Conduct internal audits of activities that process personal data

• Review the data protection impact assessment (according to Article 35 of the GDPR)

• As the designated contact person for the Office of the Information Commissioner (ICO) and any data subject who wishes to inquire about the processing of their personal data

• It can be used to coordinate the identification and reporting of any personal data leakage that may occur.

It is worth considering that although DPOs are responsible for advising their business leaders on how to comply with the GDPR and meet their specific requirements, these senior personnel are still responsible for understanding and implementing the matters communicated by the DPO. Therefore, the data protection officer usually reports to the top management, and the role expects the cooperation of the organization (whether the company is a data controller or a data processor). Although data protection officers may have other responsibilities within the organization, care should be taken to ensure that they do not interfere with their ability to complete DPO tasks.

Who can become a DPO?

Article 37 further states that the job holder should be a professional who has expertise in data protection law and can complete the tasks specified in Article 39 of the GDPR. Therefore, DPOs are likely to be able to demonstrate comprehensive training in GDPR and have a professional approach that enables them to communicate and advise clearly at all levels within the organization. An important attribute is risk management experience, which will enable them to prioritize tasks that focus on high-risk data processing activities, or tasks where risks related to personal data leakage, etc. cause the most damage.

Risk assessment will enable DPOs to have a deeper understanding of the adequacy and safety of personal data processing activities, especially in operations involving processing special categories of data (such as reviewing the medical status of health insurance policy holders) or criminal offenses and convictions (For example, monitoring the daily activities of criminals). An experienced DPO will consider factors such as the number of data subjects involved, the amount of personal data being processed, the permanent or temporary nature of the processing activities, and the assessment of possible risks associated with the processing.

Do charities need a data protection officer?

A common area of concern is whether registered charities need to appoint a data protection officer. The main consideration here is whether the activities of the charity include personal data processing activities as defined in Article 37 (reviewed above). Although many charities will not meet this requirement, the Charity Commission stated that having a DPO is “desirable”. However, a qualified DPO will not be a low-cost hire. Many charities have considered hiring the services of an external DPO, which may be part-time or on-demand, and may independently represent many full-time resources of the organization that cannot be promised. Regardless of the participation model adopted, every charity has the responsibility to recruit, select, and manage a DPO (if needed), and they can rely on the DPO to provide them with timely, appropriate and responsible GDPR compliance guidance.

in conclusion

Whether you have mandatory requirements for DPOs, choose voluntary appointments, or rely on experienced individuals in different positions, their experience in data protection legislation and how to implement them in your business will provide a significant improvement in your GDPR Degree of compliance.

To help companies complete their GDPR journey, we provide an online GDPR knowledge and awareness course for only £49 + VAT.

Back to all articles