Since UK data protection law was updated in 25 May 2018, companies may need to appoint a data protection officer (DPO). Strictly speaking, the regulation states that companies shall designate a data protection officer, if the processing is carried out by a public authority or body, the core activities of the company include regular and systematic monitoring of data subjects on a large scale or/and if the core activities of the company consist on large-scale processing of special categories of data.
This applies to both controllers and processors. You can appoint a data protection officer if you wish, even if you aren’t required to, however, there are a variety of benefits that a DPO can bring
What you need to know, in a nutshell
- The UK GDPR says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.
- It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.
- So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.
- It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
- Some of the tasks of the DPO are: to inform and advise the company about its obligations to comply with UK GDPR and other data protection laws and to monitor compliance with the UK GDPR.
- This appointment is always carried out by the executive management.
- If, despite this obligation, no data protection officer is appointed, the company may face fines of up to 10 million euros or, in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
In this article
- When is the appointment of data protection officer required by law?
- What are the 5 key responsibilities of a data protection officer?
- When appointing a DPO, what criteria must be met?
- Who must carry out the appointment?
- Failure to appoint someone could mean a fine
- How does the appointment of a data protection officer take place?
- The appointment certificate
When is the appointment of a data protection officer required by law?
According to article 37 of the UK GDPR, there are three situations in which a data protection officer must be appointed:
- The company is a public authority - These are public bodies that process personal data. The only exceptions are courts and other juridical bodies that are considered independent.
- The company conducts mass surveillance - These are companies that routinely and systematically monitor their "data subjects" (people or residents of the UK), and engage in the processing of that data as the main activity of business.
- The company processes special category personal data - A DPO is required if companies process "special category personal data'' as the main part of their operations, especially if it's on a large scale.
If your company falls under any of these categories, the next step is to understand the role a DPO will play in your company before you appoint one.
What are the 5 key responsibilities of a data protection officer?
When a data protection officer is appointed, they will ensure that your company complies with all data protection regulations. This includes the following:
- Data privacy training for your staff - A DPO is responsible for educating staff by sharing best practices and making sure they understand the impact of, and their responsibilities, under data protection law.
- Monitoring of data protection compliance - A DPO must be able to monitor the flow and use of data in a company, and information retention in accordance with data protection law. This ensures compliance and keeps the company accountable for its data.
- Advise the business on data protection – A DPO must inform and advise the organisation of their obligations under the law, specifically advising on any assessment of risk to “data subjects”.
- Cooperation with the supervisory authorities - DPOs must be proactive to prepare for events such as security breaches and other security concerns. This includes having a good line of communication with supervisory authorities to keep them informed of these events.
- Support organisational growth and data handling - Organisational growth involves new risks and data challenges. A DPO must understand and prepare for these challenges, and have a strong strategy on how to mitigate risks.
Once you understand what a DPO can and should do for your company, you can start the screening process to hire a DPO.
When appointing a DPO, what criteria must be met?
The UK GDPR states that a DPO can only be appointed if they meet the following criteria:
- The DPO must be suitably qualified. While there is no specific qualification required to be a DPO, if they hold a recognised certification or degree. Ultimately, they need to have and be able to demonstrate, the relevant experience to carry out the tasks of a DPO.
- Your data protection officer requires an insight into your company. They should have communication skills and the willingness to develop professionally. Moreover, they should be able to handle technical or legal matters efficiently.
- You must also prevent conflicts of interest. If, for example, it is not advisable to appoint your Head of IT or one of your managing directors as the data protection officer, as they will be involved in decisions about how to process personal data. This can create a conflict between decision for the company’s interests, against those of the “data subjects”.
Companies often decide to appoint an outsourced data protection officer because they already have the necessary qualifications and experience. In addition, they will not suffer from conflicts of interest. In most cases, the costs are also lower than if an internal employee takes on this task.
At DataGuard, more than 100 people passionately take care of data privacy, compliance, and IT security. Our qualified data protection officers provide individual advice and can be appointed from just £150 per month.
Who must carry out the appointment?
The data protection officer reports directly to the highest level of management within the organisation. The DPO needs to be appointment (and declared to the supervisory authority) by a decision maker within the data controller’s organisation.
Failure to appoint someone could mean a fine
It is not just in the case of data breaches or violations where you could face fines, you could also face fines if you fail to appoint a data protection officer where required. Under the UK GDPR the fines can be as high as £17.5 million or 4% percent of company’s global annual revenue.
How does the appointment of a data protection officer take place?
To appoint a data protection officer, you should follow these three steps:
- First, select a person who is suitable for the task. Ultimately, suitable means that the person has demonstratable expertise in UK data protection law.. For this reason, many companies tend to opt for an external data protection officer, instead of training an internal employee.
- You should then have an initial discussion with the person and come to a verbal agreement about how you will work together in the future.
- You or the executive management will then enter into a written service agreement or a written appointment order with the DPO.
The appointment certificate
When appointing an external data protection officer, a so-called appointment certificate will be drafted, and it should include the following:
- Client (your company) and contractor (data protection officer)
- Reference to Articles 37 to 39 UK GDPR, because these form the legal basis of the appointment.
- The beginning of the activity – in other words, from when will the contractor act as the DPO.
- The duties of the DPO in accordance with Article 39 UK GDPR.
- The confidentiality obligations and the risk assessment obligation in accordance with Article 39 UK GDPR
Small and medium-sized companies in particular rely mostly on external data protection officers. Not only are they qualified, they are also generally cheaper than using an internal employee. This can also prevent conflicts of interest. Once the right person has been selected, the appointment as data protection officer should always take place in writing.
If you’re looking to outsource a DPO, our experts will be happy to guide you through the process. Book a free consultation today.
How do I appoint a data protection officer?
Understanding what criteria must be met when appointing a DPO is the first step. Then, you must make sure they work independently, and have the resources they need to get started. This includes ensuring that they report to top level management. A DPO can be a current staff member or an outside consultant. In some cases, one DPO may work with multiple companies.
What is the difference between a data controller and a data protection officer?
A data controller is any company/organisation that determines the purpose for personal data processing. A data protection officer is an independent party appointed by a data controller to ensure that the company processes data in compliance with laws and regulations such as the GDPR.
Is a DPO personally liable?
Under Article 38 of the UK GDPR, the reasons to terminate or penalise a DPO are limited, because they are not responsible for implementing UK GDPR compliant processes within a company. This responsibility lies with the top management and partners of a company.
What is not a responsibility of a data protection officer?
The DPO is in charge of making sure that the top management of a company sticks to its data protection strategy and goals. However, they are not part of the management team and are not accountable for the execution of the company's data protection measures.
Do data protection officers conduct audits?
Yes. According to Article 39 of the UK GDPR, a DPO’s responsibilities include conducting regular audits to ensure that the company is in compliance with GDPR.
Do small companies need a data protection officer?
Yes, the requirement to appoint a DPO under Article 37 of the UK GDPR applies to all companies, regardless of size.
But even if a small company isn't legally required to hire a DPO, it is still responsible for making sure it follows the UK GDPR. If the company doesn't have the resources to do this, it may hire a DPO or ask a staff member to take on the duties of a DPO.