What does a data protection officer (DPO) do, and what are the benefits of having one? We explain key responsibilities and provide a candidate checklist.
Key takeaways
- In the UK, appoint a DPO if your business is a public authority that processes personal data, carries out large-scale, regular monitoring of people, or processes large amounts of sensitive information.
- A DPO can be a new or an existing employee or a contractor.
- The benefits of a DPO include data protection expertise, independence and a single point of contact.
- DPOs are involved with compliance monitoring, training, DPIAs and reporting.
- The ICO offers guidance on supporting your DPO, from ensuring they report to the highest management level to providing adequate resources, such as time, financial and infrastructure.
- Our candidate checklist includes asking questions such as, “Does the person have a significant degree of subject matter expertise about the GDPR and data protection?”
- The first thing a DPO should do is conduct a data protection compliance audit, focusing on areas such as governance, lawful processing and data security and minimisation.
This guide outlines what you need to think about when appointing a DPO and how to support them.
- Do you need to appoint a DPO?
- Who can be a DPO?
- What are the benefits of having a DPO?
- What are their core responsibilities?
- How to support your DPO
- DPO candidate checklist
- What is a DPO’s first priority?
Do you need to appoint a DPO?
In the UK, you need to appoint a DPO if:
- Your organisation is a public authority or body that processes personal data.
- Your business performs large scale, regular and systematic monitoring of individuals, as per the General Data Protection Regulation (GDPR).
- Your business needs to process large volumes of sensitive data, such as special category, criminal convictions and offences.
Whom can you appoint as DPO?
A DPO doesn't have to be a new employee. They can be an existing one, as long as there is no conflict of interest with any other duties they perform.
You can also contract the role out. Just remember that if you do, the person must have the same position, tasks and duties as an internal DPO would have.
The individual must have the right skills and knowledge of data protection.
Why? Because it's a requirement of the GDPR Article 37(1).
What are the benefits of having a DPO?
- Data protection expertise - Having one person as the primary subject matter expert, rather than spreading the knowledge around different people within the business.
- Independence - As the DPO needs to be free of any conflicts of interest, their independence allows them to challenge processes, strengthening control and avoiding regulatory breaches.
- Single point of contact - If breaches happen, one person has the overall responsibility for making sure they are reported on time, avoiding confusion, delays and possible regulatory sanction.
What are a DPO's key responsibilities?
While the DPO is not personally responsible for compliance (GDPR Article 4.7/4.8 assigns that to the data controller and processor), they have a crucial role in ensuring compliance.
- Training - The DPO needs to inform those processing personal data of their obligations under the GDPR and data protection laws.
- Compliance monitoring - This includes managing data protection policies, data protection activities, raising staff awareness, arranging training staff and conducting internal audits.
- Data protection impact assessments (DPIAs) - The DPO advises on and monitors DPIAs. These help your business identify and minimise the data protection risks of a specific project.
- Point of contact - They are the primary contact with the relevant supervisory authority (the Information Commissioner's Office - ICO - in the UK) and for individuals whose data has been processed.
- Reporting - The DPO must report data breaches to the ICO within 72 hours.
Supporting your DPO
If you appoint a DPO, they need the correct level of support to fulfil their duties. The UK ICO provides guidance on this. You must ensure the following:
- The DPO is involved closely and promptly in all data protection issues.
- The DPO reports to the highest management level, i.e. board level.
- The DPO is independent and not dismissed/penalised for performing their tasks.
- The DPO has appropriate access to personal data and processing activities, essential support, input and information.
- Advice is sought from the DPO when conducting DPIAs.
- Details of your DPO form part of your records of processing activities.
- Time
- Financial
- Infrastructure
- Staff
- Adequate resources are provided for the DPO to meet regulatory obligations and maintain their expertise
Remember that once you have appointed your DPO, you need to inform the ICO and publish their contact details (that could be as simple as including an email address within your data privacy notice).
DPO candidate checklist
- Knowledge - Does the person have a significant degree of subject matter expertise about the GDPR and data protection? Are any gaps easily addressed?
- Independence - Does the DPO role conflict with any other they have within the firm? For instance, if they process data, they may be conflicted out.
- Coaching - Will this person be able to educate and inform staff about their GDPR responsibilities?
- Interpersonal skills - Does the person have the confidence to liaise with regulators if necessary?
What should be first on your DPO's agenda?
Once you have appointed a DPO, their priority should be to conduct a data protection compliance audit. This closely reflects the responsibilities shown above.
Key subjects to address in a data protection audit
- Governance - systems and controls
- Responsibilities - understanding legal obligations
- Lawful processing - how personal data is dealt with
- Data security - confidentiality, integrity and availability
- Data minimisation - collection, review and retention
- Data subject's rights - informing subjects and responding to requests
- Data breaches - recognising, responding and reporting
- Contractors and suppliers - how to deal with third party processing
- Human resources - dealing with employee-related data
- Overseas data - transferring and processing data within the EU and beyond
We've produced a self-assessment questionnaire with 140 data protection checks covering the topics above to help you benchmark your compliance processes.
DPO: FAQs
Does a DPO need to be a lawyer or an IT expert?
No, but they must have expert knowledge of data protection laws, understand IT systems, business processes and security risks, and have strong communication and compliance management skills.
What happens if a company is required to appoint a DPO but doesn’t?
Regulatory action and fines of up to €10 million or 2% of global annual turnover, per the GDPR.
What’s a data subject, controller and processor?
A data subject is an individual whose personal data is collected or processed, a data controller decides why and how personal data is processed (can be a person or a company), and a data processor is a third-party that processes on behalf of the controller, per their instructions, such as a payroll service
Want to learn more about GDPR?
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:
We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collection