There are some organisations that are required by law to have a Data Protection Officer. Perhaps you are one of them?  Read on to find out more about appointing a DPO if required, what you can do if you aren’t legally required to have one and how we can help.

The Data Protection Officer (DPO) is a staff member or external contractor appointed by the Data Controller or Processor to point you in the right direction and help you comply with your Data Protection obligations.  If you are legally required to have one, they should be an expert in Data Protection law.

Who needs a Data Protection Officer?

Under the GDPR (Article 37 – 39), the DPO is now a legally required position if:

  • The controller is a public authority.
  • The core activities of the controller or processor include regular and systematic monitoring of data subjects on a large scale.
  • The core activities of the controller or processor consist of large scale processing of special categories of data.

If you are a Public Authority, you’ll know this already.  This might include Schools, Councils, GP Surgeries.

Number two and three are a little more challenging.  The word ‘large’ isn’t defined, so you would need to look at the proportion of data processed by your business. Number three relates to ‘special categories’ (this is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation under Article 9 of the GDPR)

What are the Tasks and responsibilities of a DPO?

The DPO should:

  • Ensure compliance and manage risk by e.g. monitoring GDPR compliance including, advising on data protection impact assessments; providing GDPR training to staff and conducting periodic internal audits.
  • Advise the controller, processors and employees who carry out the processing, of their data protection obligations.
  • Be a point of contact with the supervisory authority.
  • Communicate with data subjects and the supervisory authority.
  • Exercise professional secrecy.

What is the responsibility of the Business?

As Data Controllers or Processors, you have the following obligations in relation to the DPO, including appointing a DPO where required:

  • Facilitate communication with, and involvement of, the DPO in all issues related to personal data protection;
  • Controllers and processors should involve DPOs in all personal data protection matters.
  • Provide support to the DPO.
  • Provide DPO with access to personal data and processing operations.
  • Help the DPO maintain expert knowledge of topics and issues related to personal data protection.
  • Ensure the DPO acts completely independently and does not receive instructions from anyone except the supervisory authority.
  • Ensure the DPO is not dismissed or penalised for performing his or her tasks.
  • Ensure that the DPO is not put in a situation that is a conflict of interest, such as a position that requires determining the purposes and means of processing personal data.
  • Ensure that the DPO reports to the highest levels of management.

Note that although the EU doesn’t exclude a DPO from carrying out more than one business function, it is essential to ensure that no conflict of interest exists. Ideally, a DPO will be a standalone role but if they do perform another function, it should not be a function that involves key decision making in the areas of IT, HR, Marketing, Finance or general business activity. The role of your DPO should be a ‘check and balance’ autonomous role.

Should we appoint a DPO if we don’t legally need one?

You may process special category personal data but you are unclear as to whether the amount is large enough, or you might be confident that you don’t need to appoint a DPO.  It’s a good idea, however,  to err on the side of caution and appoint a Privacy Officer or a Data Protection Manager who can perform the duties of a DPO.

What if we haven’t got a member of staff who is suitable?

If you haven’t got anyone ‘in house’ that is suitable or You can appoint an external provider of data protection officer services under a services contract whether that be an individual or an organisation.

GDPR guidelines recommend having, in the service contract, a clear allocation of tasks within the external DPO and to assign a key person (where there is a team) to take charge. This should help to avoid any misunderstandings around the scope of the role and avoid conflicts of interest.

Let us know if we can help you!

Author: Yvonne Morris



twitter: @CloudLegals


CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: