Data Protection Officer (DPO) is an expert in the field who will assist a company to monitor internal compliance; inform it of and advise on its data protection obligations; provide advice on Data Protection Impact Assessments (DPIA’s) and act as a point of contact for data subjects and the relevant supervisory authority – The Information Commissioner’s Office (ICO), in the UK.
*A UK GDPR Gap Analysis is required for all Medium & Large/Enterprise Business’ before the DPO contract starts.
Where the processing is carried out by a public authority or body;
Where the “core activities” of the Data Controller or Data Processor consist of processing operations which require regular and systematic monitoring” of data subjects on a “large scale”; or
Where the “core activities” of the Data Controller or Data Processor consist of processing on a “large scale” of “special categories of personal data” or data relating to criminal convictions and offences.
You can appoint a Data Protection Officer on a voluntary basis to give your organisation and its stakeholders added assurance and to also further demonstrate and meet accountability requirements under the GDPR. A Data Protection Officer can be a member of staff or an appointed 3rd party retained on a service contract.
Importance of the role
Whilst not always a full-time role, DPOs are required to be independent and have specialist data protection expertise. This role is becoming increasingly important due to the The Information Commissioner’s Office (ICO) having the ability and power to impose significant financial penalties when organisations fail to protect personal data. The risk of reputational damage can even be terminal for an organisation.
The DPO’s tasks are defined in Article 39 as:
It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37(1).
The law says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.
Whilst it doesn’t specify the precise credentials they are expected to have, it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires. All our Data Protection Advisors have achieved or are working towards the Certified Information Privacy Professional of Europe (CIPP/E) Qualification.
So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight. It would therefore be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
Fundamentally, we believe that all these benefits, and more, combined mean a Bruce & Butler Outsourced DPO provides far greater value for this key role than is possible from a small team, a single independent contractor or an internal employee.