When to appoint a Data Protection Officer

Appointing a data protection officer is much more than simply giving someone a title. The decision whether or not to appoint a data protection officer is a serious one and must be considered carefully. You need to know why you may need to appoint one. You need to know what you should look for in a data protection officer. And you need to know the risks if you appoint the wrong one.

By Claire Heaphy

Privacy Compliance Hub Information Officer

February 2020

Data Protection Officer

Data protection officers  

Certain organisations are required to appoint a data protection officer ‘DPO’ by the GDPR, but any organisation may decide to appoint one voluntarily as part of a commitment to good privacy compliance practice.  As the name suggests, the DPO should be fully involved in all issues relating to the protection of personal information and the GDPR mandates that organisations which have a DPO must involve them in all Data Protection Impact Assessments conducted for new processing.  

Organisations which must appoint a data protection officer

The GDPR requires the following controllers and processors to appoint a DPO:

  • public authorities and bodies; and/or
  • those whose core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale; and/or
  • those whose core activities consist of processing on a large scale special categories of data or personal information relating to criminal convictions and offences.

Unless it is obvious that there is no requirement to hire a DPO, any decision not to appoint one should be documented with reasons.  The ICO has a useful self-assessment DPO questionnaire to help organisations assess whether they need to appoint a DPO.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

The ideal data protection officer

A DPO must have expertise in national and European data protection laws and in-depth knowledge of the GDPR.  They should have strong leadership skills to ensure everyone in the organisation complies with the GDPR and they must be experienced in working with board members as a key advisor and liaising with regulators.

A DPO may be an employee, or the role may be outsourced.  However, if outsourcing you run the risk that the DPO may not know enough about your business to do a thorough job.  The position of DPO may be combined with another role within an organisation, but there must be no conflict of interest between any of the DPO’s other duties and the independence of the DPO with regard to their data protection tasks.  The DPO is not allowed to determine the purposes and means of processing personal information which excludes most senior management.

Responsibilities of an organisation to its data protection officer 

The appointment of a DPO must be taken seriously.  The DPO must have the board and senior management’s full support, report directly to the board, be given sufficient time to fulfil his/her duties and be fully resourced. 

Note that DPOs are protected by the GDPR against dismissal or penalty for performing their DPO duties.  This is to bolster the autonomous role and independence of the DPO.  It does not prevent legitimate dismissal of a DPO for reasons other than performing their duties as a DPO eg. gross misconduct.

Finally, it is important to stress that no DPO is personally responsible for non-compliance with the GDPR.  The responsibility for GDPR compliance remains at all times with the organisation.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

A culture of continuous privacy compliance 

In our view, the way to ensure compliance with the GDPR and protect personal information is through a cultural shift in your organisation.  At The Privacy Compliance Hub, we help organisations (whether they have a DPO or not) establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR.

More to watch and read