When the GDPR came into force back in May last year one of the changes introduced was the concept of having a Data Protection Officer of DPO. Whilst for some organisations a DPO is now compulsory, there’s an argument for most organisations having a DPO (of some kind), mandated or not.
Those mandated to have a DPO
If you meet the following criteria, you have no choice, you must have a DPO if:
- you are a public authority or body (so that means government, schools, academies, councils, etc.)
- your core activities include carrying out on a large scale the regular and systematic monitoring of individuals (e.g. if you carry out online behaviour tracking or monitor CCTV); or
- your core activities consist of the processing, on a large scale, of special category data (i.e. data relating to health, trade union membership, religious beliefs, biometric data used for ID purposes, etc.) or criminal conviction and offence data
There are some challenges around the definitions of what is consider a “core activity” and what is “large scale”, plus in some cases it’s not always easy to determine whether your activities are “regular” or “systematic”. The ICO with the help of the EU provide some examples and interpretation but it’s up to you to determine if you need a DPO.
Furthermore, if you decide you are mandated to have one then the DPO has specific duties and responsibilities which have are set out in law, including being registered as your DPO with the ICO.
But if you’re not mandated to have a DPO?
If you don’t meet the conditions set out in law requiring a DPO, then you don’t need a DPO according to the law… but as the title of this blog piece suggests, is thinking about it in terms of whether the law says you have to have one, good practice?
I would argue that even if you don’t have to, by law, have a DPO you should still consider the merits carefully of having someone within your organisation taking responsibility for your data and privacy compliance. They won’t need to be bound so tightly to what the GDPR says they have to do and you won’t have to register them with the ICO, but there are benefits of having someone who is taking that data protection responsibility across your business. You don’t need to be even called the DPO, maybe they’re your Data Protection Champion or Manager or even someone who has other responsibilities – I see marketing, IT and HR managers often taking on the role).
Having someone mandated or not acting as your Data Protection Officer (DPO)/Data Protection Champion/etc. means:
- You’ll have a central point of contact externally, for any data protection issues such as the ICO contacting you about a complaint, dealing with subject access rights or the other individuals’ rights
- You’ll have a central point of contact internally for any data protection and privacy related questions or queries (“I’ve got this marketing data, can I do this with it?” or “am I allowed to do this with this data” kind of questions) and even if they don’t know the answer, they will know they have the responsibility to find out and your colleagues will know they have to speak to this person before getting carried away
- You’ll have someone who can make sure policies and training is up to date and relevant and able to keep an eye on compliance – remember the GDPR requires your organisation to be able to demonstrate it is compliant and the ICO indicate this includes reviewing compliance at appropriate intervals
- You’ll have someone who can help with the other elements of compliance like carrying out data protection impact assessments (DPIA), dealing with suspected breaches, etc.
- If you’ve not yet started on your GDPR compliance journey you have someone who can lead that project from start to finish
- You can be sure your compliance is taken care of
There are many good reasons to be making sure you have someone acting as your DPO even when you’re not mandated to have a DPO per se.
So, don’t think of it as a question of “do I need a DPO” from a GDPR compliance perspective, but “do I need a DPO” to ensure my business is safe and compliant perspective.
The downside of non-mandated DPOs
Now, there is one downside.
If you’re mandated to have a DPO you will, by law, be required to have someone who can operate independently within your business and who has the relevant expertise, so when it comes to do their job they’ll have it covered.
Of course if you’re not mandated to have a DPO but as I suggest have someone acting as your compliance champion, they don’t have to be an expert (or indeed independent) which in turn means that most business appoint someone who has no or little data protection experience.
This doesn’t mean you can’t have someone with any data protection expertise acting as your champion, it just means you need to be mindful they will need help and support and that for them they may feel that added pressure of worry whether they’ve got all the bases covered. And let’s face it, unless you’re a data compliance geek there’s a good chance you won’t get anyone volunteering for the role, so your chosen champion may be a little unhappy about the new role you’ve given them…
But all is not lost
This is where the Digital Compliance Hub comes in. We can help your business whether you need a mandated DPO or whether your internal Champion needs help and support.
Our main package is all about offering support and guidance; we offer a helpline backed up with a library of resources including guidance, toolkits and other support materials as well as policy templates, interactive checklists and walk-throughs – plus we explain everything simply, so you don’t need to be a privacy lawyer to understand the basics and more importantly your champion can be confident there’s always someone there to help them when they need to speak to a real person.
But, if you’re looking for a mandated DPO, we can help with that as well. Our Hub DPO package includes not only access to the Hub library of resources, toolkits, templates, etc. but more importantly you’re getting an expert consultant acting as your DPO. They can be registered as your DPO with the ICO and because they’re an external consultant they meet the independence requirements too. Our DPO service includes an initial review of your compliance and will put in place an action plan for delivering the compliance you need to get yourself up to date and compliant.
The Hub DPO package can also be used by businesses not needing a mandated DPO as the package works as a Data Protection Manager or Champion too!
And finally, if you are a DPO, DPM or Champion then a Hub subscription can certainly help you with keeping up to date, helping you with compliance decisions and choices and the helpline means you’ll always have someone there to call upon should you need the advice you can’t find anywhere else – think of us an alternative to using the ICO – you can talk to us in confidence (we’re happy to sign NDAs) about any tricky compliance issues rather than having to navigate around the ICO’s helpline.