The GDPR requires both data controllers and processors, who meet certain criteria, to designate a Data Protection Officer (DPO). The role is an extension of the accountability regime being brought about by the new regulation. The duties of a DPO are to ensure that an organisations data protection policies and practices are in line with the GDPR.
Does my organisation need a DPO?
The requirement is triggered where any one of the following thresholds is met:
- The processing is carried out by a public authority, or
- The core activities of the data controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale, or
- The core activities of the data controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions/offences
The chosen wording provides little in terms of certainty. There is no harmonised definition of a ‘public authority’ and thresholds 2 and 3 replace the far more certain, if not necessarily satisfactory, ‘size’ test with a more purposive test.
Speak to a solicitor if you are in any doubt as to whether your business will require a DPO.
Who can be appointed as a DPO?
An existing member of staff may be appointed as a DPO, but there is a requirement that they must possess ‘expert knowledge of data protection law’. The candidate must receive adequate training to bring them up to speed.
A DPO must also be ‘properly involved’ in all matters relating to data protection at the organisation, which would place demands on the officer’s time.
A DPO’s conflicting duties
One of the most difficult elements to reconcile is the DPO’s potentially conflicting duties to his or her employer on the one hand and the ICO on the other. As such, a DPO must have some level of independence from their employer in order to fulfil what may at times be conflicting duties. It follows that an organisation must not attempt to dictate the way in which a DPO fulfils their obligations under the GDPR, as the regulation clearly states that a DPO should not ‘receive instructions’ from the organisation in this respect.
In recognition of this potentially difficult balancing act, employment protection is afforded those taking on the role. The GDPR confirms that the DPO ‘shall not be dismissed or penalised…for performing his tasks’.
These additional complications should be considered when selecting a suitable candidate for the role. The wrong choice could risk exposing the business to liability and/or undermining business needs.