GDPR – What’s a DPO?

  • Home
  • GDPR – What’s a DPO?
  • 27
    Sep 17

GDPR – What’s a DPO?

Tags : 

data-padlockThe General Data Protection Regulation (GDPR) has introduced many new terms which we will all get familiar with over the next few months. A DPO (Data Protection Officer) is one of them and many people are asking whether they really need one. This is in part due to the confusion created by the to-and-fro between the European Commission, the European Parliament and the Council of Ministers during the drafting of the regulation and subsequent clarifications by a working party (the Article 29 Working Party). With that many fingers in the pie it’s not surprising that there is confusion.

So what does a DPO do?

The role of the DPO is to help organisations comply with data protection law, avoid the risks that they may face when processing personal data and be the link between the public and the organisation’s employees in relation to the processing of personal information held. The DPO also acts as the person that data protection queries should be directed to. A mini-job description is actually given in the GDPR’s Articles 37(5) and 39(1):

“The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”

“The data protection officer shall have at least the following tasks:

  • (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  • (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • (d) to cooperate with the supervisory authority;
  • (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”

Do you need to appoint a DPO?

This is, of course, the question! You should assume that you do – unless you can demonstrate that you don’t! That’s because the criteria for appointing a DPO applies to most organisations. However, not every organisation needs to appoint one. Confused? The GDPR lays out three scenarios for a DPO as follows:

  1. The processing is carried out by a ‘public authority’ – Although the GDPR does not define what a public authority is, in the UK this is most likely to reflect the definition given in Section 3 of the Freedom of Information Act 2000.
  2. The ‘core activities’ require regular and systematic monitoring of data subjects on a ‘large scale’ – Core activities can be considered as the key operations necessary to achieve the organisation’s goals. There is no definition of what ‘large scale’ means, however examples could be processing customer data by an insurance company or bank, processing personal data for behavioural advertising by a search engine, processing payroll data by a payroll bureau, or staff information by an HR support company.
  3. Where ‘core activities’ involve ‘large scale’ processing of ‘special categories’ of personal data and relating to criminal convictions and offences – Special categories of data are broadly the same as Sensitive Personal Data under the Data Protection Act 1998. These cover ethnic origin, political opinions, religious beliefs and health data, and apply to, amongst others, polling companies, trade unions and healthcare providers storing patient records.

There has been uncertainty whether the requirement to appoint a DPO applies to SMEs – possibly because an earlier draft of the GDPR suggested ‘large scale’ meant organisations with 250+ employees or was regularly processing more than 5000 records. However, the Information Commissioner’s Office (ICO) has clarified this:

“I’ve heard plenty of people talking about there being a DPO exemption for SMEs – this is absolutely not the case.” – Peter Brown, Senior Technology Officer, Information Commissioner’s Office (ICO).

Even where a DPO is not required (as directed by the GDPR) you may wish to consider appointing an individual within your company to carry out that role on a voluntary basis. This will help to ensure that you are proactive in monitoring GDPR compliance. They don’t need to be called a DPO – you could use the term ‘Privacy Officer’ for example. However, being a voluntary DPO is no excuse to perform the role to any lesser degree and the role and tasks should be treated as if the appointment had been mandatory.

And finally, not having a DPO isn’t an excuse for non-compliance!

GDPR Preparedness Toolkit Seminar

This 2 hour seminar will help you, as you take your first steps towards compliance by sharing practical insights about implementing a data security based approach in line with the Regulation. You will learn about:

  • Why you have to comply with the GDPR and what might happen if you don’t.
  • The GDPR’s direct effect on your business and the transition timelines.
  • The steps to take in preparing for compliance.
  • The technical and organisational measures your business will need to adopt to comply with the Regulation.
  • A key assessment toolkit you can use to help you to achieve compliance.

The seminar will be held at The Birch Hotel, Heywood with easy access to the M60, M62 and M66 on:

  • Wednesday, 25th October 2017, 14:00 to 16:15
  • Wednesday, 29th November 2017, 14:00 to 16:15

Standard tickets are £25.00

Early Bird Discount tickets are £15.00 (available only if you book within 14 days of the seminar)

Contact us on 0345 319 4887 to book or book online with Eventbrite.

News Archive

More Information (PDF)

Smarter Technologies Ltd, Unit 1 Broadfield Industrial Estate, Seymour Street, Heywood, OL10 3AJ | Company No.: 07172781 | VAT No.: 794 7491 68

 Request a Quote

What our clients say:
Lynne SprigingsLynne SprigingsBolton Young Persons Housing Scheme
As a small charity it’s really important for us to have reliable and responsive IT support, which Smarter Technologies supplies.
Dave BagleyDave BagleyUrban Outreach (Bolton)
Thanks again for the swift response from Smarter Technologies to our IT needs recently. All is working perfectly.
Maura JacksonMaura JacksonBackup North West
Smarter Technologies have looked after our IT for well over 10 years. They are fabulous, knowledgeable, hard working, thorough, reliable, good value for money and proactive.
Sharon HamerSharon HamerThe Housing Link (2003)
Thank you for all your advice, help and support. I would not hesitate to recommend Smarter Technologies.
Nikki PriceNikki PriceInstil Bio (UK) Limited
Thank you very much for your help on a Saturday! I can’t tell you how very grateful we are to you for helping us out with this last minute request and doing it so promptly.
Jane HaywardJane HaywardYMCA Black Country Group
The service I have received has been excellent, from the initial meeting where the process was explained to managers, right down to coming out to go through SharePoint with me.
Andrew JennerAndrew JennerRCD Leaflets
Please pass my thanks on to the team as the whole process from quote to install was unbelievably thorough, efficient and smooth.
David Lackner-SmithDavid Lackner-SmithThe Sanctuary Trust
It’s great being able to rely on such prompt service from Smarter Technologies, it really gives us peace of mind knowing that our IT support is provided by a team that will go the extra mile.
Bill LeesBill LeesThe Housing Link (2003)
Smarter Technologies make so many complicated things sound clear and understandable in a way that I completely understand.
Jim GowmanJim GowmanYMCA Black Country Group
Just to say to the Smarter Technologies team, thanks for a very smooth transition into the 21st Century of IT with our upgraded equipment. All aspects of the installation have received positive feedback from day one.
Jim GowmanJim GowmanYMCA Black Country Group
I want to pass on the thanks received today from across all parts of the YMCABC teams about how robust the IT systems have been. We have had to get to grips with remote working and with this pandemic it has come into its own.
Graham EvansGraham EvansThe Housing Link (2003)
We have a tight budget and Smarter Technologies has enabled us to ‘work smarter’ and provide fast assistance to those who need it. It has played an integral role in the success of this charity.
Richard BoydRichard BoydRed Flame Marketing
I found the IT support for my small business to be excellent. Everything is clearly explained in non-technical language; prompt service and very affordable. Will be recommending Smarter Technologies to other businesses. (In fact, I already have!).
Andrew BeeputAndrew BeeputThe Bond Board
Smarter Technologies really understand the pressure charities are under and consider this when making recommendations. They saved us so much money – I can’t put a price on their help. It was invaluable.
Tracey PeaceTracey PeaceRamsbottom Kitchen Company
The Smarter Technologies team are like extended members of our staff and always go the extra mile. The team come in early and stay until they finish – they even lock up for us.
prevnext

© 2011-2024 Smarter Technologies Ltd  |  Privacy Statement

%d bloggers like this: