The GDPR date is fast approaching. Does your business need to appoint a Data Protection Officer?

The question as to whether a company is required to appoint a Data Protection Officer (DPO) under the new General Data Protection Regulation (GDPR) coming into force on 25th May 2018, is a matter of some confusion.

There are set criteria, detailed in the GDPR legislation, which dictate if a company is required to appoint a DPO. Companies which have no legal obligation to do so may still consider that the role of a DPO is useful to their business.

What is a Data Protection Officer (DPO)?

A DPO is responsible for data protection strategies, monitoring the company’s GDPR compliance and provision of advice on relevant requirements. DPOs are the first point of contact for data subjects and involved in Data Protection Impact Assessments, as well as liaising with relevant supervisory authorities such as the Information Commissioner's Office (ICO).

Recently released guidance informs that DPOs are not held personally responsible for non-compliance, this responsibility still remains with the organisation.

Does my business require a DPO?

Businesses which meet certain criteria are required to appoint a DPO under Article 37 of the GDPR. The criteria are as follows;

• Public authority organisations, with the exception of courts acting in their legal capacity
• Organisations which carry out regular monitoring and processing of data of individuals on a large scale
• Organisations whose core activities consist of processing special category data (as specified in Article 9) or data relating to offences and criminal convictions (Article 10) on a large scale

“Large Scale” is not defined in the regulations.  The ICO give guidance as follows;

“The GDPR does not define what constitutes large-scale processing. However, processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects. In many cases, it is unlikely that small organisations will be processing on a large scale processing.

Examples of large-scale processing can be found in question 3 of the Article 29 Working Party FAQs on data protection officers”

Follow this link to see the Article 29 Working Party recommendations on interpreting “large scale”.

My organisation does not fall into the above criteria. Can I still appoint a DPO?

Regardless of whether you are legally required to appoint a DPO, it is still advised by many professional bodies and associations that a DPO should be voluntarily appointed. It is seen as good practice and demonstration of commitment towards GDPR compliance.

Who can be a DPO?

Although GDPR does not specify the exact criteria or qualifications a DPO must hold, it does state the individual should have professional experience and be proficient in data protection law. The responsibilities can be undertaken by either an employee or an outsourced consultant. DPOs cannot be subject to conflict of interest, which means the role might collide with senior positions such as chief executive or managerial roles within departments such as Marketing, Finance, IT or Human Resources.

How can Aspire help?

Aspire specialises in extensive GDPR compliance audits in which gaps are identified and rectified. The team is able to provide essential GDPR compliance training to your employees and support you in drafting GDPR Policies, Privacy Notices and any other relevant documentation.

Previous GDPR related Aspire news:

Employer liable for employees data protection breach

Data Protection Bill

New UK data protection laws on the horizon