Who needs a DPO and what do they do?
This Bite is about the role and requirements of a DPO – that’s a Data Protection Officer. The role and duties of a data protection officer are varied – it is an interesting and challenging job. Within the scope of Article 39 of the GDPR, the tasks include:
- To inform and advise the organisation of their duties and responsibilities under the GDPR
- To monitor compliance with the organisation’s own policies and other regulations (including the GDPR) that may be govern the organisations data activities
- Provide advice and guidance on data impact assessments and monitor their performance
- Act as the organisation’s contact point and liaise with the regulator (ICO)
- Always be aware of and advise upon the risks of processing personal data, taking into account the nature, scope, context and purposes of processing
This is very much a minimum list of tasks.
In many cases appointing a DPO may be mandatory – so who needs a DPO? This covered in Article 37. It is a requirement to appoint a DPO if the organisation is a local authority or public body (except for the judicial functions of the courts) – schools are classified as local authorities. Other instances where the appointment of a DPO becomes mandatory depend on the scale and nature of the data being processed. A DPO is a requirement in the following situations:
- The organisation’s main activity is the large scale or systematic monitoring of people
- The data is about a person’s criminal record
- The data is about a person’s racial or ethnic origin
- The data is about a person’s political opinion
- The data is about a person’s religious or philosophical beliefs
- The data is about a person’s trade union membership
- The data is about a person’s sex life or sexual orientation
- The processing or storage of genetic data
- The processing or storage of biometric data for unique identification
- The processing or storage of data concerning a natural person’s health
It is very important for an organisation, if required, to properly include a DPO in all aspects of the way data is collected and processed. All issues must be raised with the DPO in a timely manner – the GDPR has very specific timescales for some of the statutory responses that may be required to enquiries or in the event of a data breach. The position of the DPO must also be properly resourced. They must have the full backing of the senior management team and be empowered to work across the whole of the organisation. In a large organisation, the DPO may need a team of people working under them to fulfil the tasks and duties required.
It is also important that if the role of DPO is fulfilled by a person with other duties within the organisation, that here is no conflict of interest. A DPO must also be unencumbered by management to carry out their duties and must be able to do so without fear of disciplinary action or other retribution.
The designated DPO does not have to be an employee or officer of the organisation – they can be contracted in from a third-party organisation. This will help alleviate the expense of employing a full time DPO for smaller organisations – this is likely to be an expensive role to employ as there is a requirement for a DPO to have the required knowledge of data protection law and professional experience.