Get Free Downloads
Start your GDPR today in just a few clicks
      
Get Free Downloads
Start your GDPR today in just a few clicks

Do I Need A Data Protection Officer?

Tagged with dpo, gdpr, data protection, ico
by Paddy Green
in Blog

22-May-2018 13:10

Data Protection Officer (DPO) is a term that's bandied about a lot in the GDPR - but not all companies/organisations need one. Here's a little guidance to demystify the DPO decision.

A Data Protection Officer (DPO) is a position within a corporation that acts as an independent advocate for the proper care and use of customer’s information.

Under the GDPR, you must appoint a DPO if:

  • you are a public authority (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.