Do I need a
DPO (Data Protection Officer)?
The GDPR requires organisations to designate a Data Protection Officer (DPO) if they:
- Are a public body (except parish councils in the UK) or
- Process data on a ‘large scale’ or
- Use data to “regularly and systematically” monitor individuals
Whilst not necessarily a full-time role, DPOs do require specialist data protection expertise. The Information Commissioner’s Office (ICO) power to impose significant financial penalties and the danger of reputational damage from failing to protect personal data means the role is increasingly important.
WHAT THE LEGISLATION REQUIRES OF DATA PROTECTION OFFICERS
Responsibilities
The DPO should:
- Keep the organisation informed and advised about data protection
- Monitor the organisation’s compliance with the legislation
- Make sure personal data protection is considered ‘by-design’ in new processes and technologies
- Co-operate with and act as the contact point with the ICO or other supervisory authorities
The Person and the Position
The DPO should:
- Have expert knowledge of data protection law and practices.
- Report to the highest management level
- Avoid conflicts of interest with any other role they perform in the organisation
WHAT DATA PROTECTION OFFICERS DO IN PRACTICE
DPOs should champion data protection in the organisation – this means they should:
Inform and advise
-
Facilitate staff training including board members, managers and data facing staff
-
Share best practice for data protection across the organisation
-
Advise on the impact of other data protection regulations
-
Answer queries on all aspects of personal data protection
Ensure individuals can exercise their rights to:
-
Request access to their data using a Data Subject Access Request (DSAR)
-
Be informed about processing
-
Be forgotten
-
Rectify incorrect data
-
Restrict processing
-
Port their data elsewhere
-
Object to processing, automated decision-making and profiling
Review and update policies
-
Keep policies up to date with data protection requirements
-
-
Privacy and cookie policy
-
Consent forms
-
General data protection policy
-
Retention policy
-
Employee policies etc.
-
Oversee evaluation of new and high risk processes
-
Privacy by design
-
Data protection and privacy impact assessments (DPIAs and PIAs)
Oversee sharing of personal data
-
Ensure appropriate agreements are in place and monitor compliance including:
- Data Sharing Agreements
- Data Processor Agreements
Manage and oversee communication
-
Be the named point of contact with the ICO and other European supervisory authorities
-
Oversee and monitor responses to DSARs
Monitor, report and demonstrate accountability
-
Ensure all compliance records are maintained including:
-
Records of Processing Activity (RoPA)
-
Data asset register
-
Breach register
-
Risk register
-
Log of individuals’ exercised rights
-
Supervisory authority contact records
-
Training record
Report to senior management on how risk and compliance is evolving
-