GDPR for commercial organisations – Data Protection Officer (DPO)
The GDPR requires both data controllers and processors, who meet certain criteria, to designate a Data Protection Officer (DPO). The role is an extension of the accountability regime being brought about by the new regulation. A DPO’s duties include aligning an organisation’s data protection policies and practices with the GDPR.
Does my organisation need a DPO?
The requirement is triggered where any one of the following thresholds is met:
- The processing is carried out by a public authority, or
- The core activities of the data controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale, or
- The core activities of the data controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions/offences
The chosen wording provides little in terms of certainty. There is no harmonised definition of a ‘public authority’ and thresholds 2 and 3 replace the far more certain, if not necessarily satisfactory, ‘size’ test with a more purposive test.
Speak to a solicitor if you are in any doubt as to whether your business will require a DPO.
Who can be appointed as a DPO?
An existing member of staff may be appointed as a DPO, but there is a requirement that they must possess ‘expert knowledge of data protection law’. The candidate must receive adequate training to bring them up to speed.
A DPO must also be ‘properly involved’ in all matters relating to data protection at the organisation, which would place demands on the officer’s time.
A DPO’s conflicting duties
One of the most difficult elements to reconcile is the DPO’s potentially conflicting duties to his or her employer on the one hand and the ICO on the other. As such, a DPO must have some level of independence from their employer in order to fulfil what may at times be conflicting duties. It follows that an organisation must not attempt to dictate the way in which a DPO fulfils their obligations under the GDPR, as the regulation clearly states that a DPO should not ‘receive instructions’ from the organisation in this respect.
In recognition of this potentially difficult balancing act, employment protection is afforded those taking on the role. The GDPR confirms that the DPO ‘shall not be dismissed or penalised…for performing his tasks’.
These additional complications should be considered when selecting a suitable candidate for the role. The wrong choice could risk exposing the business to liability and/or undermining business needs.
For more information or guidance, please contact:
T. 020 7227 7433
T. 0207 227 7381
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.