Under the GDPR (General Data Protection Regulation), certain organisations are required to appoint a DPO (data protection officer) to oversee their compliance practices.
In this blog, we explain when a DPO is required and how you can get started when appointing one.
What are a DPO’s responsibilities?
A DPO is an independent expert responsible for monitoring an organisation’s GDPR compliance practices. Their responsibilities include:
- Advising staff on their data protection obligations;
- Reviewing the organisation’s data protection policies and procedures;
- Advising management on the necessity of DPIAs (data protection impact assessments);
- Serving as the point of contact between the organisation and its supervisory authority regarding data protection issues; and
- Serving as the point of contact for individuals on privacy matters, such as DSARs (data subject access requests).
A full list of the DPO’s responsibilities are outlined in Article 39 of the GDPR.
Do I need to appoint a data protection officer?
Organisations must appoint a DPO if they are subject to the GDPR and:
- Are a public authority or body;
- Regularly and systematically monitor data subjects; or
- Process special categories of data on a large scale.
These are only the mandatory requirements for appointing a DPO. Many organisations benefit from appointing one even if they aren’t legally required to do so.
That’s because having an independent data protection expert on board can help with their wider GDPR compliance practices. A DPO will act as a central figure who provides compliance support.
What skills do you need to be a DPO?
DPOs must have an in-depth understanding of data protection law and regulatory requirements. A good DPO will also have soft skills, because they are responsible for communicating with staff, data subjects and supervisory authorities.
Remember, the DPO must act independently, being careful not to overstep their boundaries. As such, they must learn what they can and cannot disclose while undertaking the role.
Who can be a DPO?
There are no formal requirements for who can become a DPO. The position doesn’t need to be filled by a lawyer or a qualified data protection practitioner.
The only prerequisite is that they must have a strong knowledge of data protection law. This should ideally cover both practical experience and technical expertise, backed up with qualifications.
Finding someone who has both technical and soft skills will no doubt be a challenge. Fortunately, the GDPR makes the task a little easier by creating plenty of options for who you can choose.
Organisations can hire an external candidate or appoint someone internally. They can also outsource the position to another firm or share a DPO with other organisations.
Each option comes with its own benefits and will be suitable for different organisations, depending on their size and the scale of their data processing activities.
In the next section, we look at the pros and cons of each option.
Appointing someone internally
The simplest way to fulfil your DPO requirements is to appoint an existing member of staff. They can either take on the role alongside their existing position or become a full-time DPO.
Either way, you must be careful, because the GDPR stipulates that a DPO must work independently and without instruction from their employer.
An employer should not provide guidance on how to investigate complaints, what the results of that investigation should be, or how the DPO should interpret data protection law.
Similarly, DPOs can’t have competing aims, where business objectives could be prioritised over data protection.
There are circumstances in which an employee can take on the DPO’s responsibilities without a conflict of interest, but we suggest avoiding the risk.
Even if you are confident that there is no problem, job roles and responsibilities often evolve, and a conflict of interest might arise without you noticing.
Hiring an external candidate
Appointing an external candidate as your DPO will greatly reduce the risk of a conflict of interest. You can create a new position within the organisation, with the DPO being given the freedom to take on their responsibilities in whichever way they deem appropriate.
Unfortunately, this is almost certainly going to be the least practical solution. Data protection experts are hard to find, with a far greater demand than supply. As such, suitable candidates will be able to command high salaries, which will be unaffordable for most organisations.
Outsourcing the DPO role
By contracting the DPO role to a third party, you get an ideal middle ground between an internal and external candidate. You will still bring in an external party to take over the necessary tasks, ensuring that you have a qualified expert while avoiding a conflict of interest.
In addition, you will avoid the cost of appointing a full-time, salaried DPO. That’s because most outsourced DPOs work for several organisations, therefore splitting the cost.
If you want to know more about how the process works, GRCI Law can help. Our DPO as a service package provides you with the expert support you need to meet your GDPR compliance requirements.
One of our team of data protection practitioners will be assigned to your organisation, and will fulfil the necessary tasks to ensure that you remain GDPR compliant.