What does a DPO do, and what are the benefits of having one? We explain their responsibilities and provide a checklist for deciding whether or not you need one.
Do you need to appoint a DPO?
In the UK, you need to appoint a DPO if:
- Your organisation is a public authority or body
- Your business uses large scale, regular and systematic monitoring of individuals
- Your business needs to process large volumes of special category, criminal convictions and offences data.
Whom can you appoint as DPO?
Appointing a DPO may not be as difficult as it first seems.
It doesn't have to be a new employee. It could be an existing one. As long as there is no conflict of interest with any other duties in which they are engaged.
You can even contract the role out. Just remember that if you do, that person must have the same position, tasks and duties as an internal DPO would have.
It's essential that this person has the right level of skills and knowledge of data protection relative to the level of personal data processing carried out and the level of protection required for the data subjects.
Why? Because it's a requirement of GDPR Article 37(1).
What are the benefits of having a DPO?
- Data protection expertise - Having one person as the primary subject matter expert, rather than spreading the knowledge around many different people within the business.
- Independence - As the DPO needs to be free of any conflicts of interest, their independence allows them to challenge processes, strengthening control and avoiding regulatory breaches.
- Single point of contact - If breaches happen, one person has the overall responsibility for making sure they are reported on time, avoiding confusion, delays and possible regulatory sanction.
What are key DPO responsibilities?
While the DPO is not personally responsible for compliance (GDPR Article 4.7 assigns that falls to the data controller and processor), they have a crucial role in ensuring compliance.
- Training - The DPO needs to inform those processing personal data of their obligations under GDPR and data protection laws.
- Compliance monitoring - This includes managing data protection policies, data protection activities, raising staff awareness, arranging training staff and conducting internal audits.
- Data protection impact assessments (DPIA) - The DPO advises on and monitors DPIAs. These help your business identify and minimise the data protection risks of a specific project.
- Point of contact - They are the primary contact with the relevant supervisory authority (which is the ICO in the UK) and for individuals whose data has been processed.
- Reporting - The DPO must report data breaches to the ICO within 72 hours.
Supporting your DPO
If you appoint a DPO, they need the correct level of support to fulfil their duties. The UK ICO has provided guidance on this:
- The DPO is involved closely and promptly in all data protection issues.
- The DPO reports to the highest management level, i.e. board level.
- DPO is independent and is not dismissed/penalised for performing their tasks.
- The DPO has appropriate access to personal data and processing activities;
- The DPO has appropriate access to essential support, input and information.
- Advice is sought from the DPO when conducting DPIAs.
- Details of your DPO form part of your records of processing activities.
- Adequate resources are provided for the DPO to meet regulatory obligations and maintain their expertise:
DPO candidate checklist
- Knowledge - Has the selected person a significant degree of subject matter expertise within GDPR and data protection? Are any gaps easily addressed?
- Independence - Does the DPO role conflict with any other role they may play in the firm? For instance, if they process data, they may be conflicted out.
- Coaching - Will this person be able to educate and inform staff about their GDPR responsibilities?
- Interpersonal skills - Does the person have the emotional intelligence and confidence to liaise with regulators if necessary?
What should be first on your new DPO's agenda?
Once you have appointed your DPO, their first priority should be to conduct a data protection compliance audit. It closely reflects the responsibilities shown above.
Key subjects to address in your data protection audit
- Governance - systems and controls
- Responsibilities - understanding legal obligations
- Lawful processing - how personal data is dealt with
- Data security - confidentiality, integrity and availability
- Data minimisation - collection, review and retention
- Data subject's rights - informing subjects and responding to requests
- Data breaches - recognising, responding and reporting
- Contractors & suppliers - how you deal with third party processing
- Human resources - dealing with employee-related data
- Overseas data - transferring and processing data within the EU and beyond
We've produced a self-assessment questionnaire with 140 data protection checks covering the topics above to help you benchmark your compliance processes.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 70+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!