The role of a Data Protection Officer (DPO) is to assist your business with internal compliance and inform and advise on your data protection obligations.
The General Data Protection Regulation (GDPR) which comes into force this month (25 May 2018) introduces a duty to appoint a DPO if you are a public authority or you carry out core activities which consist of large scale processing of special categories of data or data relating to criminal convictions and offences. This applies to both data controllers and data processors.
Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity. This is different to processing personal data for other secondary purposes, which may be something you do all the time, for example payroll or HR information, but which is not part of carrying out your primary objectives. Employers in the financial services, insurance or other regulated industries are likely to be caught by this requirement.
You can decide to voluntarily appoint a DPO, even if you are not required to. However, if you choose to appoint a DPO, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory. Even if you are not required to appoint a DPO within your business, you must ensure that your business has sufficient staff and resources to discharge your obligations under the GDPR.
In summary, a DPO must be an expert in data protection, adequately resourced and report to the highest management level. The DPO can be an existing employee of your business or externally appointed. In some cases, several organisations can appoint a single DPO between them. DPOs can help you demonstrate compliance with the GDPR.
The GDPR requires you to publish the contact details of your DPO and provide them to the Information Commissioner’s Office (ICO). This enables individuals, your employees and the ICO to contact the DPO when it is necessary to.
It is worth noting that a DPO is not personally liable for data protection compliance. As the controller or processor, it remains your responsibility to comply with the GDPR. Despite this, a DPO clearly plays an important role to help fulfil a business’s data protection obligations.
If you require any advice on data protection, please contact Farleys Solicitors on 0845 287 0939 or submit your enquiry through our online form.
Download Your FREE GDPR Checklist
We have created this handy GDPR checklist to check where your business is now in terms of compliance.