Status: Modified

This is a modified concept. The role of a data protection officer (DPO) is an existing concept that some controllers and processors already choose to employ; however, the GDPR will introduce a mandatory obligation for certain data controllers and processors to appoint a DPO.

How does this concept differ from the current position?

Currently, within the EU, only Germany has enacted similar mandatory provisions. Although the Information Commissioner’s Office (ICO) encourages it as good practice, there is no legal requirement in the UK for entities to appoint a DPO.

The GDPR introduces a mandatory obligation for controllers and processors to designate a DPO in specified circumstances, including:

  • if you are a public body
  • if your core activities require regular and systematic monitoring of data subjects on a large scale
  • if your core activities involve large scale processing of sensitive data and data relating to criminal convictions.

Member states may also introduce, at their discretion, other circumstances where the appointment of a DPO is required.

A DPO may be an employee or a contractor engaged under a service contract. They do not need to be legally qualified but, either way, must have expert knowledge of data protection law. From a practical perspective, it will be useful for a DPO to have a reasonable understanding of an organisation’s technical and organisational structure and be familiar with its IT infrastructure. A single DPO may also be engaged to cover multiple entities within a group, provided that the DPO is easily accessible from each establishment.

The GDPR also sets out the minimum tasks that a DPO must undertake. These include:

  • informing and advising their colleagues of their data protection obligations
  • monitoring compliance with the GDPR and the organisation’s data protection policies
  • providing advice regarding Privacy Impact Assessments
  • co-operating with the relevant supervisory authority
  • acting as a contact point for the supervisory authority on data processing issues.

Organisations are required to provide DPOs with the resources necessary to carry out these tasks and to maintain their expert knowledge. DPOs are also required to have a certain level of independence from their organisation. This is supported by provisions in the GDPR which require organisations to ensure that the DPO: (a) does not receive any instructions regarding the exercise of its tasks; (b) is not dismissed or penalised for performing its tasks; and (c) reports directly to the organisation’s highest management level.

What will the impact be on your business?

  • This requirement will introduce an additional compliance burden for organisations both at the appointment stage and in terms of ongoing resources and support that organisations are required to provide.
  • Any organisations that fail to appoint a DPO when they are required to do so also risk a fine of up to €10,000,000 or 2% of the organisation’s worldwide turnover, depending on which amount is higher.
  • However, for some organisations, the appointment of a single point of contact for data protection issues may reduce bureaucracy, be an effective and efficient way to ensure compliance with data protection requirements and reduce the likelihood of, and costs involved in, any interventions by supervisory authorities.
  • Transparent and efficient handling of personal data via a DPO can also help an organisation gain a competitive advantage, particularly in terms of public perception and reputation.

What actions should you take to prepare?

  • Any change takes time to implement. Entities should consider, as early as possible, whether they will be required to appoint a DPO and, if so, plan how best to procure external services or recruit, train and resource the position.
  • Since Member States will have discretion to enact national provisions imposing further requirements regarding the appointment of DPOs, organisations should also keep track of any Member States’ national requirements that may be more stringent than those under the GDPR.