<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Find courses

    Why you need a Data Protection Officer in light of GDPR

    Published on 28 Jan 2019 by Martyn Oughton

    Editors note: This post was originally published in April 2018 and has been refreshed to provide additional information.

    Today, 28th January, is Data Privacy Day. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. 

    It's also 8 months since the General Data Protection Regulation (GDPR) came into effect across Europe. 

    GDPR was enforced on 25th May 2018. In the build up to the new regulation, businesses were busy getting prepared. Though alarmingly, a HubSpot survey carried out in September 2017 - a mere 8 months before the regulation was due to be introduced - revealed that only 36 percent of business leaders had even heard of GDPR!

    As it's Data Privacy Day, and with GDPR in mind, we decided to take another look at the role of the Data Protection Officer (or DPO). This was one of the biggest decisions organisations had to make ahead of GDPR - whether or not to appoint a new DPO for their business.

    Now, 8 months on, organisations may be wondering whether they made the right choice. If you didn't appoint a DPO but are now wondering if you should have done, this refresher should help you.

    A question of choice

    This is an interesting one – because for many businesses this formal requirement is not compulsory, and therefore may be something that was dismissed early on in the preparations. But, is that the right answer, especially given that the appointment of a DPO can still be made voluntarily?

    The legal bit

    For most larger financial services businesses, this is something that has already been covered, as they will new data protection officeralready have data protection officers in place, given the amounts of personal data that they process and the controls they need to have in place under existing data protection legislation. However, what if you don’t already have a DPO? Should you have one?

    The answer is yes if you’re a public authority or body, but also if you’re constantly monitoring individuals on a systematic basis, and it’s a core part of your business. Also, if you process special types of data on a significant scale.

    This guidance isn’t necessarily easy to fit into a checklist, which you can tick off to say whether you need a DPO or not. In fact, the easier route may be to appoint a DPO if your business processes significant volumes of personal data as part of your activities.

    In good company

    The decision about whether to appoint a DPO (or whether to have a team supporting the DPO depending on the size of your business) is not a decision needed by only a few businesses. In fact, back in September 2016, research carried out by GO DPO found that around 7,000 businesses, each employing more than 250 people, needed to appoint a DPO. That’s a lot of recruitment and training that is needed!

    What it means in practice

    The decision to appoint a DPO may not be as onerous as it first looks. For a start, it doesn’t have to be a new employee – it could be an existing employee or manager; but here’s the rub.

    It’s essential that this person has the right level of skills and knowledge of data protection relative to the level of personal data processing carried out as well as the level of protection required for the data subjects.

    Why? Because it’s a requirement of GDPR that this is the case – Article 37(1) to be precise.

    But what does a DPO actually have to do – after all, surely they aren't responsible for carrying out all of the tasks to protect customers’ data?

    DPO responsibilities:

    • They have to be able to inform those processing personal data of their obligations under GDPR.
    • They have to monitor the firm’s performance as a data controller, as well as advise on any impact assessments carried out.
    • They will also have to be the primary contact with the relevant supervisory authority (which in the UK is the Information Commissioner’s Office (ICO)). This will also include the requirement to report breaches within 72 hours of discovery.

    All of this might seem onerous, but there are benefits to having a DPO.

    Benefits of having a DPO:

    • Having one person as the primary subject matter expert, rather than trying to spread the knowledge around many different people within the business.
    • As the DPO needs to be able to act independently and free of any conflicts of interest, the benefit of having independent oversight and challenge to controls, which should help retain control strength and avoid regulatory breaches.
    • However, if breaches do happen, one person has the overall responsibility for making sure they are reported on time, avoiding confusion, delays and possible regulatory sanction.

    However, the most important aspect of all is making sure that the person taking on the DPO role has the necessary skills and knowledge to carry out the role. This is where training provided by an established provider demonstrating a key specialism in the area of GDPR can prove to be invaluable.

    Checklist for appointing a Data Protection Officer

    1. Has the most appropriate person been selected, given the need for a significant degree of subject matter expertise as required under GDPR?
    2. Has a gap analysis been carried out in terms of their knowledge and understanding of GDPR requirements?
    3. Can the person act independently? Does their role conflict with any other role they may play in the firm (e.g. someone who processes data may be conflicted out of being the independent DPO)?
    4. Will this person be able to educate and inform staff about their GDPR responsibilities?
    5. Does the person have the interpersonal skills and confidence to be able to liaise with regulators if necessary?

    Want to know more about GDPR?

    As well as 30+ free compliance training aids, we regularly publish informative GDPR blogs. And, if you're looking for a training solution, why not visit our GDPR course library.

    If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!

    Leave a comment


    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Download now

    8 Tips for GDPR Compliance When Sharing Data

    Before you transfer personal data to other organisations, especially outside the EEA, you need to stop and think about the GDPR implications. The sharing of personal data by businesses and ...

    Read More
    Key UK Competition Law Fines

    Many businesses try to profit from gaining an unfair competitive advantage. Here are eight costly examples of what happens when you breach UK competition law.  The consequences of breaking UK ...

    Read More
    The 12 Most Notorious UK Discrimination Cases

    Discrimination takes many forms, from gender or age to well-intentioned or just downright malicious. Here we examine some of the most serious and high profile cases in the UK. However, no matter what ...

    Read More
    Biggest GDPR Fines of 2020

    Breaching the GDPR can cost you up to €20 m or 4% of annual global turnover. Which is why we are tracking the size and reasons for the biggest GDPR fines of 2020 - to help you avoid them! Since ...

    Read More