What is a Data Protection Officer (DPO)?
Their primary role is to ensure that an organisation processes the personal data of its staff, customers, providers, or any other individuals “in compliance with the applicable data protection legislation”.
Do we need a Data Protection Officer (DPO)?
One of the questions CSRB is often asked is “Do I need a DPO”?
While there are clear guidelines about what businesses must have one, there are many more who would benefit from having a DPO.
Under the UK GDPR regulations you need to have a DPO if your core activities require you to monitor data subjects (the people whose data you hold), or to process special categories of data on a large scale. A special category is any personal data that reveals information such as ethnic origin, health, or political affiliations.
Any public body is also required to appoint a DPO. While many small or medium size organisations may fall outside the requirement, it is regarded as good practice to have a DPO.
What does a Data Protection Officer (DPO) do that would make them an asset to all organisations?
- Monitoring Compliance with the regulations – UK GDPR is often mentioned as the key set of regulations that need to be adhered to and respected. But in the UK the Privacy and Electronic Communications Regulations 2003 (PECR) is another piece of legislation that governs privacy rights with relation to electronic communications. The Data Protection Act (2018) is the UK’s implementation of GDPR and a DPO would be well resourced in all these pieces of legislation.
- Advising on and carrying out Data Protection Impact Assessments (DPIA) – This is a process to help you identify and minimise the data protection risks of a project. It is good practice to do a DPIA for any other major project which requires the processing of personal data.
- Acting as a point of contact. This can be with a supervisory authority (such as the ICO), or with other members of staff with data protection queries. It may also include handling data subject access requests from individuals who want to find out what data is held about them (data subjects).
- Monitoring data protection policies and procedures. Ensuring that an organisation’s procedures are in line with regulations, and to reduce risk both to the data subjects and the organisation. This is often facilitated via an annual data protection audit.
As this list shows supporting staff and management in understanding what data protection entails, is an important function of the DPO’s responsibilities.
The potential penalties for breaching data protection regulations are severe, making it beneficial to have someone with an understanding of how your working practices can impact the organisation and alerting you to vulnerabilities. In reading around the subject of data protection you may come across the terms “controller” and “processor”.
There is a requirement for a DPO whichever of these applies to your business. We will look at what they mean in more detail in a future blog.