A Data Protection Officer (DPO) is the individual who is responsible for an organisation's overall compliance with the GDPR (General Data Protection Regulation).
The GDPR makes it mandatory for a DPO to be appointed for any organisation which is a public body. The definition of public body is taken from Freedom of Information legislation and the new Data Protection Bill. This means that when Freedom of Information legislation is amended to include Registered Social Landlords, you will be required to appoint a DPO. It is presently optional for RSLs to appoint a DPO.
Other types of organisations which must have a DPO are bodies which process special categories of personal data on a national or regional scale. For most other organisations, the appointment of a DPO will be optional.
Where appointed, a DPO is required to:
- Inform the organisation and its staff of their duties under the GDPR and other data protection law
- Monitor the organisation and its staff's compliance with the GDPR and other data protection law
- Advise, where requested, the organisation and its staff in relation to data protection impact assessments
- Co-operate and consult with the state's supervisory authority; the Information Commissioner's Office
DPOs need not be an internal member of staff - indeed they should be impartial and independent. An internal member of staff cannot be appointed as a DPO if there will be a conflict of interest; for example, if they are a Board Member. A DPO should not be involved in the day-to-day processing of personal data collected by the organisation. Some organisations may therefore choose to outsource their appointed DPO and a single, outsourced DPO may be appointed by several organisations. This may provide an economic and compliant solution to the requirement of having a DPO.
The DPO should be appointed and selected on the basis of his or her expert knowledge of data protection law and practices. This, of course, is expected to be in proportion to the size of the organisation.
It should be noted that the DPO can not be penalised or dismissed for performing their tasks and is not personally liable for any breaches of the GDPR. Additionally, the DPO should report to the highest level of management.
For more information on the role of a Data Protection Officer and the GDPR, get in touch.