Table of Contents
Depending on the size and nature of your business, you may need to appoint a Data Protection Officer (otherwise known as a DPO). The role of a DPO is to ensure that you process personal data correctly and safely alongside other functions. This article will explore whether your company is required to appoint a DPO. Furthermore, it will explore the main functions of a DPO within your business.
When Does My Company Need a Data Protection Officer?
The UK General Data Protection Regulation (GDPR) requires your business to appoint a DPO where its main activities include:
- carrying out large-scale and regular monitoring of individuals (for example, tracking the online behaviour of the public for behavioural advertising);
- processing data relating to criminal convictions, offences or sentences; or
- handling ‘special categories of data’.
Most businesses fall into the third bullet point (handling ‘special categories of data’), so let us explore that point below.
What Are Special Categories of Data?
Your company will handle ‘special categories of data’ where it stores, collects or amends:
- health data;
- genetic data;
- any data regarding an individual’s sexual orientation or sex life;
- personal data concerning race, ethnic origin or religion;
- biometric data (for example, fingerprint recognition or iris scans); and
- personal data revealing political views or trade union membership.
This information requires special protection because it is extremely sensitive and personal to the individuals involved. Because of this, your company will need to appoint a Data Protection Officer to fully ensure your organisation treats information fairly and avoids data breaches.
The DPO must continuously review the useful lifespan of information and ensure deletion once it has no further use to your company. The GDPR requires organisations to avoid keeping personal data for longer than necessary. Failure to comply can be investigated by the ICO (Information Commissioner’s Office).
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Considerations When Appointing a Data Protection Officer
The first important point is that you can nominate an existing employee to act as Data Protection Officer. It does not have to be their job title but is a crucial responsibility, so you should give them time to perform the DPO role.
There are several requirements of a DPO. Namely, they must:
- be easily accessible by you, your staff, the ICO and your customers (usually by publishing their contact email address);
- have relevant experience in data processing and suitable knowledge of data protection law;
- operate independently and not suffer any penalty for ensuring GDPR compliance and meeting data protection obligations;
- be given access to relevant information and given adequate resources (whether financial, staffing levels, computer equipment or otherwise) to perform the role well; and
- be involved in all critical data protection matters (including carrying out data protection impact assessments).
It is important to note that the DPO is not personally responsible for any data protection non-compliance by your company. Therefore, while their role is to reduce the risk of data breaches and financial penalties, your business will still be liable for any liability your business incurs, including any fine the ICO gave.
Key Takeaways
Your company’s data protection responsibilities continue beyond the appointment of a data protection officer. Accordingly, you must ensure they have relevant resources to perform their role. Additionally, there may be times when their advice on data protection compliance goes against something you believe would be best for the company. In this scenario, it is important not to dismiss them (or have them resign in protest), and then face an unfair dismissal claim and an ICO investigation. In this sense, your business must always be mindful that the appointment of the DPO is the first step, and the second step is to heed their advice carefully.
If you need help with data protection requirements and the nomination of a Data Protection Officer, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Yes, even if your company is not required to have a DPO because it does not handle any special categories of data, your business can still appoint one. For example, many companies do so to assist HR and senior management with data protection responsibilities.
They usually supervise all significant data handling within your business. Their main tasks include data protection paperwork, carrying out Data Protection Impact Assessment and risk assessments, and ensuring data is stored safely and securely.
We appreciate your feedback – your submission has been successfully received.