• 15 Mar 2023
• •
• 2 min read

Does my organisation need a Data Protection Officer (DPO)?

A private sector organisation which acts as a controller or processor in respect of any personal data must appoint a DPO when its core activities (i.e. its main business activities) consist of either:

1. The regular and systematic monitoring of data subjects on a large scale. This may occur, for example, when the organisation carries out online behaviour tracking.
2. Large-scale processing of special category or criminal conviction/offence personal data.

The UK General Data Protection Regulation (UK GDPR) does not define what is meant by “large scale” processing but we do know that consideration should be given to: the number of data subjects concerned, the volume of personal data; the type of personal data, the duration of the processing and the geographical extent of the processing.

An organisation may also choose to have a DPO to be responsible for data protection compliance, even if the law does not require this. However, if a DPO (using the specific term ‘DPO’ rather than an alternative like Privacy Officer / Manager) is appointed voluntarily, the same requirements as set out below will apply as if the appointment had been mandatory. 

The DPO appointed must:

1. Be professionally qualified and have expert knowledge of data protection law and practices.
2. Be involved in all matters relating to data protection in a timely manner.
3. Be sufficiently well resourced to be able to perform their tasks.
4. Report to the highest level of management within the organisation and be given autonomy to carry out their role so they can act independently when performing their tasks.

A DPO can be an existing employee or externally appointed. Either way, the UK GDPR requires DPOs to carry out certain tasks including:

1. Advising the controller or processor and its employees of their obligations under the UK GDPR and other applicable data protection laws. This includes providing training to employees.
2. Monitoring the organisation’s compliance with the UK GDPR, other applicable data protection laws and the controller’s or processor’s policies and procedures relating to data protection.
3. Advising on data protection impact assessments (DPIAs).
4. Cooperating with supervisory authorities (in the UK this is the Information Commissioner’s Office / ICO) and acting as the point of contact on issues relating to data processing.

The controller or processor must publish the contact details of the DPO (e.g. on its website and in its terms and conditions of business) and also provide these details to the ICO. If an organisation concludes that it does not need to appoint a DPO (and chooses not to do so voluntarily) it should record this decision to help demonstrate compliance with the UK GDPR’s ‘accountability principle’.

Finally, it is worth noting that data protection reform is back on the agenda in the UK which may see changes relating to the requirement for, and role of, DPOs in the medium term. 

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421.

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please contact us.