Who requires a DPO?

Under the GDPR (General Data Protection Regulation), certain organisations are required to appoint a DPO (data protection officer) to oversee their compliance practices.

This is mandatory for:

  • Public authorities;
  • Organisations whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
  • Organisations whose core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

However, you may have seen reports urging organisations that don’t fit into these criteria to appoint a DPO anyway.

Notably, the WP29 (Article 29 Working Party) released guidance before the GDPR took effect suggesting that all organisations appoint a DPO as a matter of good practice.

This advice has been repeated often – with experts suggesting that having an independent expert on board will help you navigate the GDPR in a way that’s not possible by relying on your own knowledge.

However, other experts have suggested that, although organisations will benefit from an independent expert, the DPO role should be reserved strictly for organisations that fit the GDPR’s criteria. Everyone else can appoint someone in an analogous position, such as a GDPR Manager.

Doing that gives organisations the flexibility to adapt the role to their specific requirements without inadvertently violating the GDPR’s DPO requirements.

So which is the right approach for you? We break down the DPO position in this blog to help you understand your requirements.

What does a DPO do?

A DPO is an independent data protection expert who is responsible for advising an organisation on how to comply with its legal requirements concerning data processing. 

Their tasks include: 

  • Advising staff on their use of personal data; 
  • Monitoring the organisation’s data protection policies and procedures; 
  • Advising management on whether DPIAs (data protection impact assessments) are necessary; 
  • Serving as the point of contact between the organisation and its supervisory authority; and 
  • Serving as a point of contact for individuals on privacy matters. 

A complete list of the DPO’s responsibilities is outlined in Article 39 of the GDPR

All organisations are required to register their DPO with their supervisory authority, which in Ireland is the DPC (Data Protection Commission). The DPC has released an online registration form to assist companies.

Free download: The Data Protection Officer (DPO) Role – A beginner’s guide

Learn more about the DPO role and how it fits into an organisation’s activities by downloading The Data Protection Officer (DPO) Role – A beginner’s guide.

This introductory guide explains what a DPO does, whether your organisation is required to appoint one and how you can find an appropriate candidate.

Download now

DPO as a service

Whether organisations are looking for a DPO or a GDPR Manager, they are often stymied by the lack of suitable options. There is simply far too great a demand for qualified personnel and such little supply.

The flexibility of the GDPR Manager role means you don’t need to be as specific in your requirements.

Under the GDPR, DPOs must have a demonstrable understanding of data protection law and regulatory requirements. They also need good communication skills, as they’ll be working with the organisation’s staff and management, as well as its supervisory authority.

That said, you don’t need a formal qualification to become a DPO (although training courses are helpful for those who want guidance on how to complete the necessary tasks).

However, one important consideration about appointing a DPO – at least if you are hiring internally or asking them to complete additional tasks – is that they cannot have a conflict of interests.

These limitations are why many organisations are outsourcing the role, with programmes such as IT Governance’s DPO as a service providing remote expertise.

With this service, one of our data protection experts will act as a remote DPO, completing the necessary tasks for your organisation and providing you with guidance whenever you need it.

Looking for more GDPR advice?

Those looking for help meeting their data protection requirements should take a look at our GDPR Toolkit.

EU general data protection regulation documentation toolkit

Designed and developed by GDPR experts, this toolkit contains a complete set of template documents to demonstrate your compliance practices.

It’s ideal for anyone who wants help completing their documentation requirements quickly and easily, but it’s more than simply a set of templates. It also includes:

  • Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
  • Two licences for the GDPR Staff Awareness E-learning Course; and
  • Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.
Get started

A version of this blog was originally published on 24 July 2018.

Related Posts

About The Author

Luke Irwin

Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.