A key change brought in by the GDPR is the requirement under Article 38 for certain groups of companies to appoint a Data Protection Officer (‘DPO’). Some member states, such as Germany, already had national legislation requiring the appointment of a DPO however the GDPR helped standardise the use of DPOs across all member states.
Definition Under the GDPR
A Data Protection Officer is required to have expert knowledge or data protection laws and practices and must report directly into the highest management level of a controller or processor.
The GDPR requires that an organisation appoints a DPO where it is a:
- Public authority or body (excluding the courts);
- Private company where the “core activities” of the company include:
(a) a large scale, regular and systematic monitoring of individuals (such as online behaviour tracking);
(b) large scale processing of special categories of data or data relating to criminal convictions and offences.
The Data Protection Act 2018 in the UK imposes the obligation to appoint a DPO under s69 – s71 in relation to law enforcement processing.
Article 39 sets out the following minimum tasks for a DPO:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations
(b) to monitor compliance with this Regulation, including the assignment of responsibilities, awareness-raising and training of staff and the related audits
(c) to provide advice where requested as regards the data protection impact assessments
(d) to cooperate with the supervisory authority
(e) to act as the contact point for the supervisory authority.
What Does the GDPR Definition Really Mean?
The DPO is responsible for advising organisations about their obligations under the GDPR as well as monitoring compliance. As part of their role in ensuring compliance, they may be involved in managing internal data protection activities, advising on DPIAs, training staff and conducting audits. The DPO should be the first point of contact for supervisory authorities and individuals whose data is processed.
The DPO should be appointed for their expert knowledge on data protection law and practices and they should be provided with the appropriate resources to carry out their tasks.
The GDPR harmonised the use of DPOs across the member states and removed the obligation to submit notifications and registrations to local agencies. Instead, the GDPR requires companies to keep adequate internal records and appoint a DPO where a company’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
The DPO requirement was one of the key significant changes brought in under the GDPR and Many companies fall into a category and need to ensure that they have appointed a DPO.
What Must my Business do to Ensure Compliance?
If your business requires a DPO you must ensure that you either appoint one or have a contract with an external individual or organisation who will act as your DPO. , You should ensure all of your senior staff members are aware that they are not permitted to give instructions to the DPO or impose any penalty on them. If your DPO is an internal hire, you should also ensure adequate provisions are in place to minimise any risk of conflict between their duties. You must publish the contact details of your DPO and provide the details to the ICO (you do not have to publish their name, but may choose to do so).