Keys to appointing your DPO, what to consider?
- Keys to appointing your DPO. DPOs or Data Protection Officers assist organisations to monitor internal compliance. They inform and advise senior leadership and the workforce on your data protection obligations. By providing advice regarding Data Protection Impact Assessments (DPIAs) they also act as a contact point for data subjects and the supervisory authority the ICO. The DPO must be independent, adequately resourced, report to the highest management level and be an expert in data protection.
Does my organisation need a data protection officer:
Are you a public authority? No
Do your organisation’s core activities require regular and systematic monitoring of individuals on a large scale? No
Do your organisation’s core activities involve processing on a large scale ‘special categories’ of personal data, or ‘criminal convictions or offences data’? No
Although you may not require to appoint a DPO by law, it’s important to have someone in your organisation who is responsible for data protection. You can however voluntarily appoint a DPO to advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
Under the GDPR, you must appoint a DPO if:
This applies to both controllers and processors.
- You are a public authority or body (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
There are several options when considering how to fulfil the role of DPO:
- Supporting incumbent staff to train and learn the role.
- Contract the role out.
- Share with another organisation.
All three options have pros and cons so its important to study your organisation and the most suitable option. I would suggest that all three options would require some level of external led support to help implement and embed certain aspects of GDPR from an impartial perspective and point of view. It it also good to have strategic relationships with data champions as the focus on cyber security and data privacy increases. Therefore having an external DPO may allow you to comply with minimal disruption to incumbent staff and BAU. This means that utilising the knowledge pools and resources of industry experts helps raise the significance and compliance within and given organisation over time.
If you require any more information on appointing or outsourcing a DPO or would like to learn more around how CDS can support your incumbent please get in touch with our team.
Outsourced Data Protection Officer: https://compliancedirectsolutions.com/data-protection/outsourced-data-protection-officer/