To DPO or not to DPO?

The requirement to appoint a Data Protection Officer (DPO) is a feature of many articles about GDPR. It's not immediately obvious what the role entails, or whether the DPO should be external or internal. We look at the details below.
Subscribe to our newsletterGet IT Support

What is a DPO?

Duties of a DPO

Skills and experience?

Do you need one?

What is a DPO?

The DPO is the data protection expert within the organisation. The role of the DPO is to help what the GDPR describes as data ‘Controllers’ and ‘Processors’ comply with data protection law and avoid the risks that organisations face when processing personal data.

Article 37(5) of the Regulation details what is in effect a mini job description for the role:

“The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”

The regulation stipulates that the DPO reports directly to top level management.

Duties of a DPO?
  • Awareness raising of the GDPR and what it means
  • Auditing – of data, data systems and data processes
  • Advising the organisation on their data protection obligations and of measures it needs to take to achieve compliancy
  • Monitoring ongoing compliance including the assignment of responsibilities
  • Training all staff who handle personal data
  • Providing advice where requested with the data protection impact assessments (DPIAs)
  • Engaging with the Information Commissioner’s Office or relevant Supervisory Authority regarding complaints and compliance

NB A DPO is not personally responsible for non-compliance with GDPR. Data protection compliance is the responsibility of the controller or the processor

What skills does a DPO need?

There is no formal DPO qualification (yet). To hire the right DPO, you’ll need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organizational structure.

A DPO needs advanced knowledge on the GDPR and other relevant data protection laws. They need to understand the business, the data it handles and how to interact with the customer base and the regulator.

They should be able to marshal and lead resources, teams, and projects and handle data-subject requests without difficulty, handle internal and external relationships, communicate effectively with all parties, educate controller/processor personnel and data subjects, and raise data protection awareness.

  • An in-depth understanding of the GDPR
  • Understanding of data processing operations and data security
  • Knowledge of the relevant business sector to the organisation
  • Good communication skills – the DPO will be the public face of the organisation to the Information Commissioner’s Office – and the public
  • Ability to promote a data protection culture within the organisation
  • Expertise in national and European data protection laws and practices
Do you need one?

You should assume that you do, unless you can demonstrate that you don’t, according to The Article 29 Working Party. However, a DPO can come in various shapes and sizes and can be an external appointment/consultant or can be an existing employee.

Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking) – there is no definition of what ‘large scale’ means; or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences (are broadly the same as Sensitive Personal Data under the Data Protection Act 1998. These cover ethnic origin, political opinions, religious beliefs and health data, and apply to, amongst others, polling companies, trade unions and healthcare providers storing patient records)

What are my options?

  • Appoint an external DPO
  • Share a DPO with other organisations
  • Contract out the role of a DPO externally
  • Allocate the role of DPO to an existing employee
  • Break down the role into functions and contract out to experts. If you’re not a technie, let Hero IT Support take control of your IT systems security and encryption.

If you are going to appoint a DPO in-house, they will need the experience, support and knowledge to carry out the role effectively. And it is essential to ensure the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.  Smaller organisations may also find that DPO responsibilities are a challenge to deliver, given the breadth of knowledge required to manage IT systems, and the requisite familiarity with the legal aspects of the GDPR.

Are SMEs exempt?

No. GDPR applies to every data controller and processor, regardless of size, industry, employee count. The fines are applicable to every organisation so it is worth taking action today to ensure you are GDPR compliant by May.

“I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.”

Peter Brown, Senior Technology Officer, Information Commissioner’s Office (ICO) speaking to InfoSec June 2017.

We take GDPR seriously

Ragnar is the Director of Hero IT Support and has been for over 10 years after graduating The University of Sussex with a BSc in Computer Science and Artificial Intelligence. Ragnar originally set up the company as Fitsystems Ltd and rebranded to Hero IT Support in September 2017. To see why he rebranded the company, click here.

Over the years, Ragnar has developed an expertise in software development, data security and encryption. He is also an active public speaker and business technology partner alongside being a GDPR practitioner, which helps our existing customers feel safe and compliant when it comes to data and IT.

Ragnar’s mission for Hero IT Support is to continuously improve and optimise businesses with the latest and leading technology. He aims to for us to become technology partners to every customer. His passion for technology means reducing downtime and saving money for our customers is a priority. To find out more about who we are and what we do, read about us.

Contact us

6 + 5 =