Whether an organisation needs a data protection officer (DPO) or not is one of the big questions in the run up to GDPR being enforced on the 25 May 2018, and your organisation may be required to have one. The DPO’s main responsibility is to inform and monitor GDPR compliance within an organisation, and to remind data processors and controllers of their data protection responsibilities.
The DPO is the first point of contact for any data protection queries and must have a direct feed into top-level management. They’re not responsible for the organisation’s GDPR Compliance but act as an intermediary between the Information Commissioner’s Office (ICO) and the organisation.
The DPO must be independent, cannot have a dual role and must not be appointed if there’s a conflict of interest between their role and the organisation’s. A lower-level employee would be able to take on the role. However, it is unlikely that they would have suitable qualifications. As the internal authority on data guidance, the DPO must be an expert on all things GDPR.
Who is required to have one?
A DPO is not always essential. However, the Article 29 Working Party, an advisory body of the EU which contributed to the GDPR, stipulates that organisations should assume that one is necessary unless they can demonstrate otherwise.
The criteria for a DPO is as follows:
- When an organisation is processing large amounts of personal data or special categories of data (eg political opinions, religious belief).
- When data processing is carried out by a public authority.
- When the uses of data involve large-scale monitoring of data subjects (people who data is held about).
A DPO is not required if:
- personal information is not processed at all
- personal data is only processed on a small scale
- the main activities of the organisation rarely involve monitoring data subjects.
Even if a DPO is not necessary, Article 29 states that organisations should keep records of their processes and data breaches.
Organisations that process large amounts of data such as search engines, hospitals and governments will need a DPO. They will also be essential if the collection, monitoring and handling of data is vital to your organisation’s activities.
Decide to what extent you need to process data to function properly as an organisation. If it is essential, you will need a DPO.
Who should be advised to have one?
If your organisation handles large quantities of data, then it would be wise to consider appointing a DPO. If you have looked at your organisation and decided you do not need one, it is advised in Article 29 that you conduct an internal analysis before deciding. This will depend on the size and scale of the data processing.
Smaller charities may only need a DPO for a limited time and hiring somebody specifically for the role may be excessive. In this situation, it would be appropriate to outsource the DPO function to a third party or bring someone in on a contract basis. This Data protection officer would still be part of and represent your organisation and would be there for any data protection related queries you may have.
Even if you have not identified a need for a DPO, you can appoint one on a voluntary basis, which is encouraged by Article 29. This shows the ICO and your members a commitment to GDPR compliance and an upholding of individuals’ rights and freedoms.