This article summarises when it is required to appoint a Data Protection Office and provides a useful link on the topic.
What is a Data Protection officer?
The role of a Data Protection Office (DPO) is to monitor internal compliance with data protection regulations, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
Do I need to appoint a Data Protection officer?
The UK GDPR introduces a duty for you to appoint a Data Protection Officer if:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
-
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors.
You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
Who could be a DPO?
According to the ICO:
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
- In some cases several organisations can appoint a single DPO between them.
- DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
ICO's help article
For more information, have a read of this help article on the ICO's website.