- A Data Protection Officer (DPO) ensures that the business or organisation concerned, processes personal data in
- compliance with the applicable data protection rules.
- A DPO may be an internal staff member or an external entity. A DPO may be an individual or a business, and work full time
- or part-time, dependant on need.
- Appointment of a DPO is a mandatory requirement for all public authorities, save for Courts acting in a judicial capacity
- For those business or organisations that are not Public Authorities, a DPO need not be appointed unless the core activities of the business or organisation involves processing of sensitive data on a large scale or involves large scale, regular and systematic monitoring of individuals.
- A DPO must be sufficiently experienced and qualified for the role, have no conflict of interest (ie not be a controller), have the power to investigate where necessary, have sufficient funding, be in control of their own budget, and report to the Board of Directors or equivalent. They cannot be dismissed for providing unwelcome advice
- A DPO must register with the ICO
The DPO’s responsibilities include:
- Inform and advise the controller or processor of their obligations under data protection law;
- monitor compliance of the organisation with all legislation in relation to data protection, including in audits, awareness- raising activities as well as training;
- provide advice where a Data Protection Impact Assessment has been carried out and monitor its performance;
- Act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights;
Articles 37, 38 and 39 and Recital (97) of the GDPR
EDPB Guidelines on Data Protection Officers (‘DPOs’) WP 29 Data Protection Officers 2017
ICO guidance with links to further reading