Data Protection Officer: Really

Does my business need a data protection officer?

Article

6 mins read

Updated on 16 February 2023

A lot of the advice we provide around data protection compliance concerns the importance of being able to illustrate the steps you have taken to comply with the data protection regime as it applies to your business.

Accountability is one of the key principles of the UK/EU GDPR (“GDPR”) and appointing a data protection officer (DPO) that has the relevant knowledge and expertise is one of the ways you can show you are accountable to the individuals whose data you process. Although the GDPR doesn’t oblige every business to employ a Data Protection Officer (“DPO”), a good rule of thumb is to assume that you do need a DPO unless you can clearly demonstrate that the GDPR requirements for appointing a DPO don’t apply to you.

Here we examine the roles and responsibilities of the DPO within an organisation, ask whether you need to appoint one. A common conclusion for many businesses is to outsource the role to a DPO as a service provider to oversee your data protection practices.

A data protection officer (DPO) should be the go-to person for all data protection issues within an organisation. Your staff should be able to rely on the DPO’s expertise when data protection issues arise and the general public should be able to contact the DPO directly about the data processing activities of your business. For example, the data protection regulator such as the Information Commissioner’s Office (ICO) which is the UK data protection authority will also want to correspond with the DPO.

• To inform and advise controllers, processors, and employees of their data protection obligations.
• To monitor GDPR compliance within an organisation, develop staff training and awareness-raising and advise on data protection audits.
• To liaise with the data protection regulator when necessary and act as a formal contact with the regulator on all issues relating to data processing.

A DPO must always bear in mind the risks associated with any processing activities while carrying out their functions.

A DPO helps organisations minimise the risks inherent in processing personal data. With the various sanctions available to the ICO under the GDPR this is more important now than ever before. But many of our clients – particularly some small and medium-sized businesses – think that appointing a DPO is a disproportionate expense when they only handle a small volume of data or when the data they do process is not overly sensitive.

Under GDPR you have no choice about appointing a DPO if:

• You are a public authority.
• Your core activities require large scale, regular and systematic monitoring of individuals.
• Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

To determine your ‘core activities’ you need to consider whether you need to process personal data in order to meet your primary business objectives. If you do then your processing of data is a core activity requiring you to appoint a data protection officer.

‘Special categories’ of data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, sex life or sexual orientation and health data.

Whether you need to appoint a DPO under the GDPR does not depend on the size of your business or the number of employees you have. There’s no exemption or get-out for SMEs in this regard. What matters is the nature and amount of data you process.

If the requirements of the GDPR about appointment of a DPO don’t apply to your business do you still need to consider employing one?

You might not process sensitive information for example, or you may only process the information of a small number of individuals. In these situations, while appointing a DPO might not be necessary you still have to meet all your obligations under GDPR – and a DPO can help you ensure compliance by monitoring regularly, advising…