Data protection officers
Certain organisations are required to appoint a data protection officer ‘DPO’ by the GDPR, but any organisation may decide to appoint one voluntarily as part of a commitment to good privacy compliance practice. As the name suggests, the DPO should be fully involved in all issues relating to the protection of personal information and the GDPR mandates that organisations which have a DPO must involve them in all Data Protection Impact Assessments conducted for new processing.
Organisations which must appoint a data protection officer
The GDPR requires the following controllers and processors to appoint a DPO:
- public authorities and bodies; and/or
- those whose core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale; and/or
- those whose core activities consist of processing on a large scale special categories of data or personal information relating to criminal convictions and offences.
Unless it is obvious that there is no requirement to hire a DPO, any decision not to appoint one should be documented with reasons. The ICO has a useful self-assessment DPO questionnaire to help organisations assess whether they need to appoint a DPO.