Since the General Data Protection Regulation, currently the UK GDPR, came into effect on 25 May 2018 and its implementation into UK national legislation by the Data Protection Act 2018, companies may need to appoint a data protection officer (DPO). Strictly speaking, the regulation states that companies shall designate a data protection officer, if the processing is carried out by a public authority or body, the core activities of the company include regular and systematic monitoring of data subjects on a large scale or/and if the core activities of the company consist on large-scale processing of special categories of data.
This applies to both controllers and processors. You can appoint a data protection officer if you wish, even if you aren’t required to, however, there are a variety of benefits that a DPO can bring
What you need to know, in a nutshell
- The UK GDPR says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.
- It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.
- So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.
- It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
- Some of the tasks of the DPO are: to inform and advise the company about its obligations to comply with UK GDPR and other data protection laws and to monitor compliance with the UK GDPR.
- If companies commercially process personal data, they generally have to appoint a data protection officer.
- This appointment is always carried out by the executive management.
- Only those who have recognised qualifications can be appointed.
- If, despite this obligation, no data protection officer is appointed, the company may face fines of up to 10 million euros or, in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In this article
- Naming and appointing a DPO
- Duties of a data protection officer
- Who can become a data protection officer
- Who must carry out the appointment?
- Failure to appoint someone could mean a fine
- How does the appointment of a data protection officer take place?
- The appointment certificate
Naming and appointing a DPO
For a long time, data protection officers were “named.” However, since UK GDPR came into effect, we now refer to the designation or appointment of a data protection officer. However, these terms ultimately mean the same thing: Companies determine a natural or juridical person to assist the company remaining in compliance with the UK GDPR. Important:
The processing is carried out by a public authority or body;
The core activities of the company consist of processing operations which require regular and systematic monitoring of data subjects on a large scale;
The core activities of the company consist of processing on a large scale of special categories of personal data.
Duties of a data protection officer
When a data protection officer is appointed, they will ensure that your company complies with all data protection regulations. This includes the following:
- Data privacy training for your staff
- Monitoring of data protection compliance
- Cooperation with the supervisory authorities
- Point of contact for matters to do with the processing of personal data
Who can become a data protection officer?
In order to appoint a DPO, you first need to have a suitable candidate. When screening people, remember these points:
- Only a qualified person can become a data protection officer. This means that the person must have completed training provided by TÜV or DEKRA, for example.
- Your data protection officer requires an insight into your organisation. They should have communication skills and the willingness to develop professionally. Moreover, they cannot be the sort of person who runs away screaming when technical or legal matters come up.
- You must also prevent conflicts of interest. If, for example, you appoint your IT administrator or one of your managing directors as the data protection officer, they will need to control themselves. Legislation has eliminated such situations.
Companies often decide to appoint an outsourced data protection officer because they already have the necessary qualifications and experience. In addition, they will not suffer from conflicts of interest. In most cases, the costs are also lower than if an internal employee takes on this task.
At DataGuard, more than 100 people passionately take care of data privacy, compliance, and IT security. Our qualified data protection officers provide individual advice and can be appointed from just £150 per month.
Who must carry out the appointment?
The data protection officer reports directly to the highest level of management within the organisation. The DPO needs to be appointment (and declared to the supervisory authority) by a decision maker within the data controller’s organisation.
Failure to appoint someone could mean a fine
It is not just in the case of data breaches or violations where you could face fines, you could also face fines if you fail to appoint a data protection officer where required. Under the UK GDPR the fines can be as high as £17.5 million or 4% percent of company’s global annual revenue.
How does the appointment of a data protection officer take place?
In order to appoint a data protection officer, you should follow these three steps:
- First, select a person who is suitable for the task. Ultimately, suitable means that the person has taken part in recognised further training and is familiar with the topic. For this reason, most companies tend to opt for an external data protection officer, instead of training an internal employee.
- You should then have an initial discussion with the person and come to a verbal agreement about how you will work together in the future.
- You or the executive management will then enter into a written service agreement or a written appointment order with the DPO.
The appointment certificate
When appointing an external data protection officer, a so-called appointment certificate will be drafted, and it should include the following:
- Client (your company) and contractor (data protection officer)
- Reference to Articles 37 to 39 UK GDPR, because these form the legal basis of the appointment.
- The beginning of the activity – in other words, from when will the contractor act as the DPO.
- The duties of the DPO in accordance with Article 39 UK GDPR.
- The confidentiality obligations and the risk assessment obligation in accordance with Article 39 UK GDPR
All companies where at least 20 people process and work with personal and sensitive data, must appoint a data protection officer. Small and medium-sized companies in particular rely mostly on external data protection officers. Not only are they qualified, they are also generally cheaper than using an internal employee. This can also prevent conflicts of interest. Once the right person has been selected, the appointment as data protection officer should always take place in writing.
You have further questions on the appointment of a DPO, or you're already looking for an external solution? Our experts will be happy to answer any question. Feel free to reach out for a free consultation!