Yes, required by law, if you meet any of the following 3 criteria:
Where the processing is carried out by a public authority or body;
Where the “core activities” of the Data Controller or Data Processor consist of processing operations which require regular and systematic monitoring” of data subjects on a “large scale”; or
Where the “core activities” of the Data Controller or Data Processor consist of processing on a “large scale” of “special categories of personal data” or data relating to criminal convictions and offences.
You can appoint a Data Protection Officer on a voluntary basis to give your organisation and its stakeholders added assurance and to also further demonstrate and meet accountability requirements under the GDPR. A Data Protection Officer can be a member of staff or an appointed 3rd party retained on a service contract.
Whilst not always a full-time role, DPOs are required to be independent and have specialist data protection expertise. This role is becoming increasingly important due to the The Information Commissioner’s Office (ICO) having the ability and power to impose significant financial penalties when organisations fail to protect personal data. The risk of reputational damage can even be terminal for an organisation.
The DPO’s tasks are defined in Article 39 as:
- To inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
- To monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
- To advise on, and to monitor, data protection impact assessments;
- To cooperate with the supervisory authority; and
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37(1).
- The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.
- If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.
- When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing.
- The law says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.
- Whilst it doesn’t specify the precise credentials they are expected to have, it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires. All our Data Protection Advisors have achieved or are working towards the Certified Information Privacy Professional of Europe (CIPP/E) Qualification.
- So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight. It would therefore be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
- A dedicated point of contact to provide a consistent and personal service. External DPOs can make use of their best practice experience from other companies for your organisation’s benefit, creating a synergy effect;
- Practical and cost effective. The packages offered by Bruce & Butler may well be more price-effective than then long-term costs of deploying your own staff resources.
- Your main point of contact takes responsibility for the role and (at no additional cost) is supported by a team of other specialists at Bruce & Butler who step in when required, therefore ensuring a seamless and continual service and removing the distraction, cost and inconvenience of recruiting replacements.
- External and independent assurance free from any conflict of interest. CEOs, Head of IT, HR, Marketing and Legal Advisors are in general unable to act as appointed DPOs, which can make selecting a DPO more challenging;
- Guidance & advice from dedicated industry professionals. Organisations are required to appoint a DPO based on professional experience. We have the specialist knowledge and have received advanced training without you having to pay for it;
- Ensures the DPO requirements, under GDPR Articles 37-39, are met. Organisations experiencing difficulty recruiting a qualified and experienced DPO can appoint an outsourced DPO in the short to medium term to fill the gap.
Fundamentally, we believe that all these benefits, and more, combined mean a Bruce & Butler Outsourced DPO provides far greater value for this key role than is possible from a small team, a single independent contractor or an internal employee.