Data Protection Officers – should we appoint a DPO?
Even though it’s more than 2 years since GDPR became enforceable, I’m still regularly asked the question, ‘Do you think we should appoint a DPO?’.
The GDPR introduced a requirement for certain organisations to appoint a Data Protection Officer. Their role is to advise the business on data protection requirements and obligations, monitor compliance and act as a contact point for individuals and data protection regulators (such as the ICO).
The role of a DPO has been well documented elsewhere, but what we find seems to cause most confusion are these questions:
- Does my organisation need to appoint a DPO?
- If not, would we be well-advised to appoint one anyway?
- Can I outsource this role?
So, let’s work through these questions.
Which organisations need to appoint a DPO?
The requirements for organisations to appoint a DPO are clearly laid out on the ICO website and by other Supervisory Authorities in other jurisdictions, so we won’t repeat their advice here. But let’s pick out a few key points.
Firstly, you NEED to appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity); or
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
You should remember the requirements apply to both controllers and processors.
And if you don’t need to appoint DPO?
Even if your organisation is not obliged to appoint a DPO, you still need to make sure you have ‘sufficient staff and resources to meet the organisation’s obligations under the GDPR’. So, you need to give thought to how you will achieve this. For example who will…
- train your staff on data protection & privacy?
- advise your business functions on data protection obligations and good privacy practices?
- ensure appropriate people (e.g. function heads) are held accountable for the processing conducted by their teams?
- make sure any new processing, or changes to processing, are properly assessed?
- create & maintain your Records of Processing Activities (RoPA)?
- monitor compliance?
- act as the liaison point for your staff, customers and others whose data you process, and for any queries / complaints from Regulators?
The conclusion some organisations have come to is to appoint a DPO, whether its strictly necessary or not. Whilst many organisations chose to create a new role, others chose to appoint an existing employee to the role. It’s important to take care their other duties don’t conflict with their obligations under the DPO role.
Others have chosen not to appoint a DPO but have made sure there is a person or team in the business responsible for data protection compliance, for example a Privacy Manager.
It is worth noting that if you do appoint a DPO, this is a unique role. The GDPR sets out specific tasks a DPO is responsible for and the organisation has a duty to support the DPO to help them to fulfil these responsibilities. (See GDPR Articles 37-39)
For example, the DPO must be independent, an expert in data protection, be adequately resourced and report to the highest management level.
How about an outsourced DPO?
It’s become quite popular to outsource the DPO role to an external supplier – particularly for businesses which are subject to budget pressures, perhaps the result to COVID-19.
Outsourcing can be an efficient lower cost option, particularly for small to medium sized businesses, enabling them to bring in specialist resources on a retainer without the difficulties and expense of recruiting a permanent employee.
There are other benefits of outsourcing this role:
- Clearly defined job function & boundaries
- A qualified and experienced person (hopefully!) with access to other supporting resources
- Independence – prevents the risk of conflict of interests which can plague internal resources, e.g. having to juggle DPO obligations alongside other duties.
- Support is ‘on-tap’ when you receive a Subject Access Request or if you suffer a data breach
- Access to third party templates, policies and processes
Onsite or remote working.
The best option will very much depend on the size and nature of your business and the types of data you’re processing.