Data Protection Officers
A definitive guide

The Data Protection Officer (DPO) is a legal appointment under the General Data Protection Regulation (GDPR). Their role is to assist the organisation monitor GDPR compliance, advise on privacy matters, oversee training, and liaise with customers and employees (Data Subjects) along with the national Data Protection Authority (DPA). Data Protection Officer appointments are mandatory for public bodies and businesses whose data processing operations meet set criteria. The European Data Protection Board (EDPB) recommends companies not required to appoint a DPO do so voluntarily.

Introduction

The history of data protection dates back almost 40 years to 1981 when the Council of Europe ratified Convention 108 for the Protection of Individuals with Regard to Automatic Processing of Personal Data. A treaty that continues to be updated today. A year earlier and the OECD released guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

More recently, in 2016, the EU adopted the General Data Protection Regulation (GDPR), which has since taken data protection law to a new level. The GDPR came into effect on the 25th May 2018 and is widely accepted as the global gold standard. Any organisation, whether inside or outside of the EU that processes data about EU citizens, must now comply with the regulation.

Although the UK has now exited the EU, the GDPR still applies while we are in the transition period, which will run until the end of 2020. Once the transition period has ended, the UK government plans to incorporate the GDPR into UK data protection law, so in reality, very little will change.

If a business can’t show good data protection is a cornerstone of their practices, they leave themselves open to a fine or other enforcement action that could damage their bank balance or business reputation.

Elizabeth Denham, Information Commissioner

The GDPR was subject to thousands of amendments and one of the most fiercely debated provisions concerned the obligation to appoint a Data Protection Officer (DPO) in certain situations.

The role of the Data Protection Officer is not new, it has been a feature in data protection compliance in a number of countries including Germany, France, Canada, Mexico, and Chile.  Indeed, many UK organisations appointed DPOs or close equivalents years before the GDPR came into force.  The situation is vastly different now given that most public bodies and many commercial organisations have a mandatory obligation to appoint a DPO, and those that do not are highly encouraged to do so.

Appointing a data protection officer is no simple task, however. In the 2019 Data Privacy Benchmark Study by Cisco, over 3000 respondents were asked to define the major obstacles their organisations faced in preparing for the GDPR. Selecting suitable candidates and internal training were identified among the leading issues. 

29% report hiring and identifying Data Protection Officers is their most significant challenge in getting ready for the GDPR.

Cisco Data Privacy Benchmark Study 2019

About these articles

This series of carefully researched, in-depth articles provide a complete guide to the position, tasks, and employment of a Data Protection Officer, along with information about whether your organisation needs to make such an appointment and how to meet compliance if you choose not to put a DPO in place.

Intended audience

As a set of resource materials, these articles have been prepared primarily for:

  • Employers researching how best to manage GDPR compliance moving forward 
  • Existing data protection officers looking to validate their interpretation, or strengthen their understanding of specific areas of legislation and process relating to their role
  • Professionals interested in a career as a data protection officer

To enable you to explore certain points in greater depth, each article has extensive references and links to relevant sections of the GDPR, the WP29 DPO Guidelines, ICO advice and guidance, along with many other authoritative sources.

The series consists of 5 articles:

  • What is a Data Protection Officer?

    While Data Protection Officers existed long before the GDPR came into effect, the latest EU law on data protection represents the most broadly applied definition of the role. You can learn about the appointment, position and tasks of the DPO under Recital 97, along with Articles 37,  38 and 39 of the GDPR. 

    The DPO is a unique position, distinct from that of a Chief Information Officer (CIO), Chief Privacy Officer (CPO), and Chief Information Security Officer (CISO), or any similar senior positions for that matter. Firstly, an organisation is required to ensure that the appointee can undertake their tasks with independence and without fear of adverse consequences resulting from their decisions. In truth, a DPO may come into conflict with other departments, especially when recommending a Data Protection Impact Assessment (DPIA) is required, or when investigating a data breach.

    When it comes to personal liability for data protection compliance, this does not fall on the DPO.  The controller or processor remains responsible for complying with the GDPR. Nevertheless, the DPO clearly plays a crucial role in helping an organisation fulfil its data protection obligations.

    In this first article, we look at how the role of the Data Protection Officer evolved, its purpose and definition under the GDPR. We also identify the organisations the Data Protection Officer will come into contact with from supervisory authorities (SA) such as the Information Commissioner's Office (ICO) to industry associations.

    Download Guide

  • Do I need a Data Protection Officer?

    Both public and private organisations alike will need to establish whether they require a DPO. If an appointment is not mandatory, further evaluation should be undertaken to determine if it may be useful to select a DPO on a voluntary basis.

    The requirements for appointing a mandatory DPO can be found under Article 37. Public authorities and bodies are almost certainly required to do so. The determination, however, is not so obvious for commercial enterprises and will depend on the nature, size and scale of the data processing operations in place. If the core activities of a business involve regular and systematic monitoring of data subjects on a large scale, and or large scale processing of special categories of data, then they will also be required to appoint a DPO.

    In reality, there are many compelling arguments for appointing a DPO voluntarily. According to the WP29 Guidelines for Data Protection Officers, the DPO is not only a cornerstone of accountability but can also help to ensure a competitive advantage. It is reasonable to assume, therefore, that assigning someone to manage data protection risk and compliance makes good business sense. In doing so, you will not only provide confidence to data owners but all key stakeholders.

    In this second article, we examine the many questions surrounding whether to appoint a DPO in considerable detail. To allow for easier reading, we have separated our in-depth analysis into two sections, one for commercial organisations and the other for public authorities and bodies.

    Appointing a DPO for Business - Download Guide Appointing a DPO for UK Public Service - Download Guide

  • The role of the Data Protection Officer

    Before appointing a DPO, the executive management team will need to review how the organisation is structured to ensure that the Data Protection Officer can fulfil their obligations satisfactorily. Details can be found under Article 38 of the GDPR, which outlines the position of the DPO.

    The DPO should be an independent and adequately resourced position that reports to the highest management level. It also should be noted that the DPO must be free from the fear of disciplinary action when it comes to the performance of their official duties, and that they are bound by secrecy or confidentiality regarding the performance of their tasks.

    The tasks of the DPO are set out in Article 39. They include informing and training employees who process personal data on GDPR matters, monitoring compliance, analysing data protection impact assessments (DPIA), and acting as the point of contact for data subjects and regulatory authorities. The DPO may be assigned other duties (such as record keeping) if there is no conflict of interest. A significant component of the DPOs role is risk management, especially concerning DPIAs.

    In this third article, we look at the requirements employers face when appointing a DPO, what they should prepare for, and how to structure the position. We also introduce the areas that will require funding and resource allocation. Then to close, we outline the duties that the DPO must perform. 

    Download Guide

  • Appointing a Data Protection Officer

    Having decided to appoint a DPO, finding a suitable individual for the role is crucial. Article 37 of the GDPR sets out the criteria for selecting a candidate, who can be a new or existing member of staff, a consultant, or a specialist DPO service provider. It is worth noting, the role can be part-time, and that a DPO can cover several organisations provided they are easily accessible to each.  

    Whatever approach you take, the person (or specialist provider) that you select must possess the necessary skills and qualifications to fulfil the tasks set out in Article 39. They will require up to date knowledge of data protection law, compliance, IT, data security and project management. An understanding of the industry sector in which the organisation operates is a must-have too.  

    Soft skills are an equally important consideration, as any DPO will need to be adept at navigating internal politics and dealing with strong personalities. They will be required to provide awareness training, and to play a role in negotiating GDPR compliant supply-chain contracts. The ability to confidently communicate data protection principles with multiple stakeholders will be essential.

    Data protection is a rapidly evolving area with breach notifications, developments in case law, policy updates, guidance materials and other notices occurring daily. It's crucial, therefore, to find a DPO with enthusiasm, who possesses a natural desire for continuous learning and improvement.

    In this fourth article, we reflect on the skills, experience and professional qualities to look for in a DPO. We look at the advantages for and against making an internal or external appointment. Finally, we identify and compare some of the terms and details to consider while drafting a contract. 

    Download Guide

  • What to do when not appointing a Data Protection Officer

    While not all organisations are required to appoint a DPO, the necessity to be GDPR compliant is the same across the board. As such, any private enterprise that elects not to appoint a DPO must still have the right policies, procedures, and reporting abilities in place at all times.

    Three of the most critical areas of GDPR compliance relate to data subject access requests (SAR), data breaches and DPIAs. Where a DPO is in place, they will play a large part in ensuring these challenges are dealt with correctly. However, the absence of a DPO means such occurrences will need to be overseen by other personnel, whether from within the organisation or from outside.

    In this, the fifth and final article of the series, we look at these three areas in detail and offer practical steps that companies should follow when choosing not to make a DPO appointment.

    Download Guide

Final words

Now that the GDPR has passed its second anniversary, the role of the Data Protection Officer (in its current format) can no longer be considered new. Despite this, however, many organisations still have questions about whether to appoint a DPO, especially when you consider the implications.

In producing this resource, we hope to have shed light on some of those concerns. Over time we intend to update and maintain this content where we believe it will offer further direction to employers and practitioners alike.

Freevacy is an independent GDPR training provider. We offer accredited BCS and IAPP training for DPOs, privacy professionals and anyone with data protection responsibilities. We also deliver bespoke courses that can be adapted to suit your particular learning requirements.

For more information, please call: 0370 04 27001, or email: contact@freevacy.com

Freevacy has been shortlisted in the Best Educator category.
The PICCASO Privacy Awards recognise the people making an outstanding contribution to this dynamic and fast-growing sector.