What is a DPO?
A DPO is an individual appointed by an organisation to assist them with data protection compliance. A DPO should be an expert on data protection.
A DPO must be allowed to function independently, meaning that they can carry out their data protection compliance tasks without fear of dismissal or other detriments as a result of, for example, them bringing any compliance issues to light.
Appointing a DPO does not shift ultimate responsibility for data protection compliance onto the DPO. The DPO helps an organisation to achieve compliance, but responsibility still ultimately lies with the data controller (ie the party that decides on the purposes for and means of processing - eg storing and collecting - personal data, like names and addresses) or the data processor (ie the party carrying out the instructions of the data controller in relation to the processing of personal data).
What does a DPO do?
A DPO’s role can cover a range of tasks related to an organisation’s data processing activities. These include helping to:
monitor compliance with internal policies and data protection laws (eg by assessing how an organisation processes and securely stores personal data and by conducting audits)
inform and train people within the organisation about data protection laws, obligations, and practices
create data protection documents or carry out data protection procedures (eg Data protection impact assessments (DPIAs) or an Information security policy)
A DPO can sometimes perform other tasks (ie outside of their core tasks, listed above). They cannot, however, work on anything that would introduce a conflict of interest with their core tasks. For example, a DPO could not be asked to do a marketing task that considers how to communicate with potential customers, as decisions for this would likely contain conflict between the marketing campaign’s aims and data protection compliance aims.
It’s also required that a DPO can report directly to the highest level of an organisation’s management (eg board level). They may interact more regularly with another lower manager (eg a line manager), but they must have direct access to the highest level of management (ie the people who make decisions about data processing).
Who can be a DPO?
A DPO can be almost anybody who has the necessary data protection experience and expertise for the role. Which experience and expertise is necessary depends on a business’ needs. A business that carries out large-scale, complex, or particularly risky data processing will likely need a DPO with more specialised expertise and experience than a business undertaking smaller, lower-risk processing. It can also be helpful for your DPO to have specific knowledge about your business and sector and the exact data processing activities you carry out within this context.
You can appoint an existing employee, a new employee, or an external contractor. When appropriate, you may also share a DPO with other businesses within a group of companies, if your company is part of a group.
Supporting your DPO
An organisation cannot just appoint a DPO and leave them to their own devices. It’s important to support a DPO to enable them to perform their role independently and adequately. An organisation also demonstrates its commitment to data protection compliance by supporting its DPO and appropriately integrating them into its business. Things that should be done to support a DPO include:
allowing them appropriate access to the organisation, including access to personal data and processing activities and to services the DPO may need for support or information
facilitating their reporting to the highest level of the organisation’s management
providing adequate resources to facilitate the DPO independently and adequately performing their functions
including the DPO in all data protection matters in a timely and substantial way
seeking the DPOs advice when undertaking a DPIA
Who has to appoint a DPO?
Not all organisations need to appoint a DPO. The GDPR requires that data controllers or processors must appoint a DPO if:
the organisation is a public authority or a public body (excluding courts acting in their judicial capacity),
the organisation’s core activities (ie primary business activities as opposed to, for example, payroll or HR functions) require that it carries out large scale, regular, and systematic monitoring (ie data processing), or
the organisation’s core activities involve processing data relating to criminal convictions and offences on a large scale
It can be difficult to identify whether an organisation has core activities that require it to carry out ‘large scale, regular, and systematic’ processing. Processing may be considered ‘regular’ and ‘systematic’ if it involves tracking and profiling people in any form, either online or offline. This is often used for certain types of advertising. Assessing whether processing is ‘large-scale’ should involve consideration of:
how many data subjects the organisation has
the volume of data being processed (ie processing many pieces of data from each data subject would lead to a higher volume)
the range and geographical extent of your data and processing activities, and
how long your processing is being carried out for
If you’re not sure whether your organisation needs to appoint a DPO, you can Ask a lawyer to refer you for help working it out.
Voluntary appointment of a DPO
An organisation can appoint a DPO even if it’s not legally required to do so. Appointing a DPO can be a great way to utilise somebody’s expertise to help an organisation to comply with data protection laws.
However, an organisation that voluntarily appoints a DPO must still meet the requirements and rules set out for DPOs. For example, it must still allow them to operate independently and report to its highest level of management.
For more information, you can read the ICO’s detailed guidance on DPOs. If you’re unsure where to start with data protection compliance, or you need help with your organisation’s data protection documents, you can use our GDPR compliance advice service.