Yes, required by law, if you meet any of the following 3 criteria:
You can also appoint a Data Protection Officer on a voluntary basis to give assurance and demonstrate accountability.
Where the processing is carried out by a public authority or body;
Where the “core activities” of the Data Controller or Data Processor consist of processing operations which require regular and systematic monitoring” of data subjects on a “large scale”; or
Where the “core activities” of the Data Controller or Data Processor consist of processing on a “large scale” of “special categories of personal data” or data relating to criminal convictions and offences.
You can appoint a Data Protection Officer on a voluntary basis to give your organisation and its stakeholders added assurance and to also further demonstrate and meet accountability requirements under the GDPR. A Data Protection Officer can be a member of staff or an appointed 3rd party retained on a service contract.
Whilst not always a full-time role, DPOs are required to be independent and have specialist data protection expertise. This role is becoming increasingly important due to the The Information Commissioner’s Office (ICO) having the ability and power to impose significant financial penalties when organisations fail to protect personal data. The risk of reputational damage can even be terminal for an organisations.
The DPO’s tasks are defined in Article 39 as:
It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37(1).
The law says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.
Whilst it doesn’t specify the precise credentials they are expected to have, it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires. All our Data Protection Advisors have achieved or are working towards the Certified Information Privacy Professional of Europe (CIPP/E) Qualification.
So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight. It would therefore be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
Fundamentally, we believe that all these benefits, and more, combined mean a Bruce & Butler Outsourced DPO provides far greater value for this key role than is possible from a small team, a single independent contractor or an internal employee.
In a highly regulated and increasingly complex world, with ever advancing technologies ingesting and processing personal data, we can ensure that compliance with data protection and privacy laws, such as GDPR, are continually met and maintained.
Leveraging world leading intelligent technology, expert knowledge and best practice remediation measures we can support you in appropriately managing information and cyber risk and achieving certification to standards such as ISO 27001, Cyber Essentials and Cyber Essentials Plus.
Ensuring that vulnerabilities which could leave your organisation open to attack are both identified and minimised is an essential part of any organisation’s cyber security strategy regardless of their size. We can perform regular assessments of your organisation’s infrastructure to identify any vulnerabilities and give you the ability to remediate these before an attacker can exploit them.