Data protection officers
Certain organisations are required to appoint a data protection officer ‘DPO’ by the GDPR, but any organisation may decide to appoint one voluntarily as part of a commitment to good privacy compliance practice. As the name suggests, the DPO should be fully involved in all issues relating to the protection of personal information and the GDPR mandates that organisations which have a DPO must involve them in all Data Protection Impact Assessments conducted for new processing.
Organisations which must appoint a data protection officer
The GDPR requires the following controllers and processors to appoint a DPO:
- public authorities and bodies; and/or
- those whose core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale; and/or
- those whose core activities consist of processing on a large scale special categories of data or personal information relating to criminal convictions and offences.
Unless it is obvious that there is no requirement to hire a DPO, any decision not to appoint one should be documented with reasons. The ICO has a useful self-assessment DPO questionnaire to help organisations assess whether they need to appoint a DPO.
The ideal data protection officer
A DPO must have expertise in national and European data protection laws and in-depth knowledge of the GDPR. They should have strong leadership skills to ensure everyone in the organisation complies with the GDPR and they must be experienced in working with board members as a key advisor and liaising with regulators.
A DPO may be an employee, or the role may be outsourced. However, if outsourcing you run the risk that the DPO may not know enough about your business to do a thorough job. The position of DPO may be combined with another role within an organisation, but there must be no conflict of interest between any of the DPO’s other duties and the independence of the DPO with regard to their data protection tasks. The DPO is not allowed to determine the purposes and means of processing personal information which excludes most senior management.
Responsibilities of an organisation to its data protection officer
The appointment of a DPO must be taken seriously. The DPO must have the board and senior management’s full support, report directly to the board, be given sufficient time to fulfil his/her duties and be fully resourced.
Note that DPOs are protected by the GDPR against dismissal or penalty for performing their DPO duties. This is to bolster the autonomous role and independence of the DPO. It does not prevent legitimate dismissal of a DPO for reasons other than performing their duties as a DPO eg. gross misconduct.
Finally, it is important to stress that no DPO is personally responsible for non-compliance with the GDPR. The responsibility for GDPR compliance remains at all times with the organisation.
A culture of continuous privacy compliance
In our view, the way to ensure compliance with the GDPR and protect personal information is through a cultural shift in your organisation. At The Privacy Compliance Hub, we help organisations (whether they have a DPO or not) establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR.