By Sofia Carroll, Information Governance Manager
Discover how you can benefit from expert GDPR advice at your fingertips even if the law doesn’t require you to appoint a Data Protection Officer.
Do I need a Data Protection Officer?
Article 37 of the UK GDPR lists certain scenarios when you must appoint a Data Protection Officer (DPO):
- You are a public body but not a court acting in a judicial capacity.
- Your core activities include large-scale, regular monitoring of people, or large-scare processing of personal data that requires further protection, for example such about their health.
If any of the above applies and you don’t have a DPO, there is a high risk you are infringing the law. In any other case, it is a voluntary decision whether to have a DPO.
What are the advantages of appointing a DPO?
Access to specialist and tailored knowledge
A DPO is your organisation’s dedicated adviser, specialist in data protection. They may also have further qualifications depending on your sector, making them an even stronger player on your compliance team.
A DPO is responsible for:
- Compliant management of the personal data you use, keeping you informed about the relevant regulations and current best practice.
- Acting as a point of contact for all data protection queries from your staff, customers and clients, and the Information Commissioner’s Office (ICO).
- Carrying out risk assessment relating to personal data and providing appropriate training for everyone internally.
This means that if you don’t have a DPO, you lose out on a vast amount of knowledge your business can benefit from. You can’t eliminate all information risks, but a DPO can help you limit them and prepare, should one materialise itself.
A DPO can be your employee or an external consultant you have a contract with. If you choose the contract option, you have the flexibility to ask for as much support as you think you need.
Naomi Korn Associates has helped many clients with specific project work and added others to our retainer service for continued support. Contact us to learn more.
Peace of mind for your business
Only because you may not be required by law to have a DPO, that doesn’t mean you are excused from complying with data protection law. If you are processing personal data – as a freelancer, SME or a charity – the UK GDPR applies to you.
This is why having a DPO in the background to constantly monitor your compliance will give you peace of mind that you are meeting your obligations as a controller. It is their job to ensure your processes are reviewed and constantly improved, and that your staff knows what they are expected to do with personal data.
This gives you the time and space to focus on your core business, achieving your overall objectives as an organisation.
Dedicated support and representation
A DPO is there to help you with any disputes, investigations and complaints that may arise as a result of your personal data activities. For example:
- Managing people’s requests for information and any subsequent complaints to the ICO.
- Liaising with the ICO about those complaints or any other queries the regulator may have.
- Investigating personal data breaches efficiently, working with other teams when needed.
It is too late to be thinking about appointing a DPO when a dispute or a breach takes place. There will be no time to deal with the incident in a timely manner.
What should I be aware of when appointing a DPO?[1]
- Your DPO helps you with compliance, but they are not responsible for it – your organisation is because you are the controller of personal data.[2] You don’t have to follow their advice, but it will be difficult to demonstrate you are compliant if you ignore it without a good reason.
- Your DPO must be independent, and you must not tell them how to perform their duties. Don’t appoint a certain DPO if there is a risk there may be a conflict of interest either.
- Your DPO must report to senior management, so your leaders are aware of your compliance and any imminent or developing risks.
- If you don’t have to appoint a DPO but you choose to anyway, the same duties and responsibilities apply as if you were.
At Naomi Korn Associates, we work with various organisation to help improve their compliance obligations. We are the acting DPO for a number of Higher Education and Further Education Organisations, several Schools, charities and corporate organisations. We also provide project specific support, assistance with DSARs, operational tools and templates, jargon-free advice, practical training and mentoring to ensure organisations comply with data protection on a day-to-day basis. For more information contact info@naomikorn.com.
[1] UK GDPR, Article 38
[2] UK GDPR, Article 5(2)