At a glance
- The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
- DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
- In some cases several organisations can appoint a single DPO between them.
- DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
Appointing a DPO
☐ We are a public authority or body and have appointed a DPO (except if we are a court acting in our judicial capacity).
☐ We are not a public authority or body, but we know whether the nature of our processing activities requires the appointment of a DPO.
☐ We have appointed a DPO based on their professional qualities and expert knowledge of data protection law and practices.
☐ We aren’t required to appoint a DPO under the UK GDPR but we have decided to do so voluntarily. We understand that the same duties and responsibilities apply had we been required to appoint a DPO. We support our DPO to the same standards.
Position of the DPO
☐ Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks.
☐ We involve our DPO, in a timely manner, in all issues relating to the protection of personal data.
☐ Our DPO is sufficiently well resourced to be able to perform their tasks.
☐ We do not penalise the DPO for performing their duties.
☐ We ensure that any other tasks or duties we assign our DPO do not result in a conflict of interests with their role as a DPO.
Tasks of the DPO
☐ Our DPO is tasked with monitoring compliance with the UK GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits.
☐ We will take account of our DPO’s advice and the information they provide on our data protection obligations.
☐ When carrying out a DPIA, we seek the advice of our DPO who also monitors the process.
☐ Our DPO acts as a contact point for the ICO. They co-operate with the ICO, including during prior consultations under Article 36, and will consult on any other matter.
☐ When performing their tasks, our DPO has due regard to the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing.
Accessibility of the DPO
☐ Our DPO is easily accessible as a point of contact for our employees, individuals and the ICO.
☐ We have published the contact details of the DPO and communicated them to the ICO.
Do we need to appoint a Data Protection Officer?
Under the UK GDPR, you must appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
Regardless of whether the UK GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the UK GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.
If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.
What is the definition of a public authority?
Section 7 of the Data Protection Act 2018 defines what a ‘public authority’ and a ‘public body’ are for the purposes of the UK GDPR.
What are ‘core activities’?
The other two conditions that require you to appoint a DPO only apply when:
- your core activities consist of processing activities, which, by virtue of their nature, scope and / or their purposes, require the regular and systematic monitoring of individuals on a large scale; or
- your core activities consist of processing on a large scale of special category data, or data relating to criminal convictions and offences.
Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity. This is different to processing personal data for other secondary purposes, which may be something you do all the time (eg payroll or HR information), but which is not part of carrying out your primary objectives.
For most organisations, processing personal data for HR purposes will be a secondary function to their main business activities and so will not be part of their core activities.
However, a HR service provider necessarily processes personal data as part of its core activities to provide HR functions for its client organisations. At the same time, it will also process HR information for its own employees, which will be regarded as an ancillary function and not part of its core activities.
What does ‘regular and systematic monitoring of data subjects on a large scale’ mean?
There are two key elements to this condition requiring you to appoint a DPO. Although the UK GDPR does not define ‘regular and systematic monitoring’ or ‘large scale’, the Article 29 Working Party (WP29) provided some guidance on these terms in its guidelines on DPOs. WP29 has been replaced by the European Data Protection Board (EDPB) which has endorsed these guidelines. Although these guidelines relate to the EU version of the GDPR, they are also a useful resource for understanding the requirements of the UK GDPR.
‘Regular and systematic’ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising.
When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
- the numbers of data subjects concerned;
- the volume of personal data being processed;
- the range of different data items being processed;
- the geographical extent of the activity; and
- the duration or permanence of the processing activity.
A large retail website uses algorithms to monitor the searches and purchases of its users and, based on this information, it offers recommendations to them. As this takes place continuously and according to predefined criteria, it can be considered as regular and systematic monitoring of data subjects on a large scale.
What does processing special category data and personal data relating to criminal convictions and offences on a large scale mean?
Processing special category data or criminal conviction or offences data carries more risk than other personal data. So when you process this type of data on a large scale you are required to appoint a DPO, who can provide more oversight. Again, the factors relevant to large-scale processing can include:
- the numbers of data subjects;
- the volume of personal data being processed;
- the range of different data items being processed;
- the geographical extent of the activity; and
- the duration or permanence of the activity.
A health insurance company processes a wide range of personal data about a large number of individuals, including medical conditions and other health information. This can be considered as processing special category data on a large scale.
What professional qualities should the DPO have?
- The UK GDPR says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.
- It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.
- So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.
- It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.
What are the tasks of the DPO?
The DPO’s tasks are defined in Article 39 as:
- to inform and advise you and your employees about your obligations to comply with the UK GDPR and other data protection laws;
- to monitor compliance with the UK GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
- to advise on, and to monitor, data protection impact assessments;
- to cooperate with the ICO; and
- to be the first point of contact for the ICO and for individuals whose data is processed (employees, customers etc).
It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37(1).
- When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing.
- The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.
- If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.
Can we assign other tasks to the DPO?
The UK GDPR says that you can assign further tasks and duties, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.
As an example of assigning other tasks, Article 30 requires that organisations must maintain records of processing operations. There is nothing preventing this task being allocated to the DPO.
Basically this means the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data. At the same time, the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.
A company’s head of marketing plans an advertising campaign, including which of the company’s customers to target, what method of communication and the personal details to use. This person cannot also be the company’s DPO, as the decision-making is likely to lead to a conflict of interests between the campaign’s aims and the company’s data protection obligations.
On the other hand, a public authority could appoint its existing FOI officer / records manager as its DPO. There is no conflict of interests here as these roles are about ensuring information rights compliance, rather than making decisions about the purposes of processing.
Can the DPO be an existing employee?
Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests, you can appoint an existing employee as your DPO, rather than you having to create a new post.
Can we contract out the role of the DPO?
You can contract out the role of DPO externally, based on a service contract with an individual or an organisation. It’s important to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.
Can we share a DPO with other organisations?
- You may appoint a single DPO to act for a group of companies or public authorities.
- If your DPO covers several organisations, they must still be able to perform their tasks effectively, taking into account the structure and size of those organisations. This means you should consider if one DPO can realistically cover a large or complex collection of organisations. You need to ensure they have the necessary resources to carry out their role and be supported with a team, if this is appropriate.
- Your DPO must be easily accessible, so their contact details should be readily available to your employees, to the ICO, and people whose personal data you process.
Can we have more than one DPO?
- The UK GDPR clearly provides that an organisation must appoint a single DPO to carry out the tasks required in Article 39, but this doesn’t prevent it appointing other data protection specialists as part of a team to help support the DPO.
- You need to determine the best way to set up your organisation’s DPO function and whether this necessitates a data protection team. However, there must be an individual designated as the DPO for the purposes of the UK GDPR who meets the requirements set out in Articles 37-39.
- If you have a team, you should clearly set out the roles and responsibilities of its members and how it relates to the DPO.
- If you hire data protection specialists other than a DPO, it’s important that they are not referred to as your DPO, which is a specific role with particular requirements under the UK GDPR.
What do we have to do to support the DPO?
You must ensure that:
- the DPO is involved, closely and in a timely manner, in all data protection matters;
- the DPO reports to the highest management level of your organisation, ie board level;
- the DPO operates independently and is not dismissed or penalised for performing their tasks;
- you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their UK GDPR obligations, and to maintain their expert level of knowledge;
- you give the DPO appropriate access to personal data and processing activities;
- you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
- you seek the advice of your DPO when carrying out a DPIA; and
- you record the details of your DPO as part of your records of processing activities.
This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.
What details do we have to publish about the DPO?
The UK GDPR requires you to:
- publish the contact details of your DPO; and
- provide them to the ICO.
This is to enable individuals, your employees and the ICO to contact the DPO as needed. You aren’t required to include the name of the DPO when publishing their contact details but you can choose to provide this if you think it’s necessary or helpful.
You’re also required to provide your DPO’s contact details in the following circumstances:
- when consulting the ICO under Article 36 about a DPIA; and
- when providing privacy information to individuals under Articles 13 and 14.
However, remember you do have to provide your DPO’s name if you report a personal data breach to the ICO and to those individuals affected by it.
Is the DPO responsible for compliance?
The DPO isn’t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the UK GDPR. Nevertheless, the DPO clearly plays a crucial role in helping you to fulfil your organisation’s data protection obligations.
In more detail - ICO guidance
In more detail – European Data Protection Board
The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the EU version of the GDPR.
WP29 published guidelines on DPOs and DPO FAQs, which have been endorsed by the EDPB.
EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issue