GDPR created a legal obligation for many companies to have a Data Protection Officer (DPO).
The DPO provides an independent oversight role for data protection.
The DPO must report directly to the most senior level of management. Getting it right is important.
On this page, we look at:
At DataGRC, we can provide you with senior, experienced data protection officers, auditors and advisors.
Our services are available on an interim or permanent, full-time or part-time, retainer or on-demand basis.
Contact us to discuss DPO requirements or services. We can support or audit your existing team, provide independent advice or be your outsourced DPO.
+44 (0) 208 133 0242
GDPR mandates that specific types of organisations assign a formal Data Protection Officer.
At a high level, this is an obligation for:
The definition of "large scale" creates a challenge, even though some guidance has been provided, which suggests it includes processing of:
Data protection authorities have also provided examples that do not constitute large-scale processing, which includes processing of:
Even if not mandatory, some companies may still choose to nominate a Data Protection Officer. However, terms such as Data Protection Manager or Privacy Manager are often used, so that the individual is not subject to the legal obligations and exclusions.
For many organisations who are obliged to have a DPO, it is not economical to assign a full time employee to the role.
GDPR specifically states that the DPO can be outsourced, under a service contract, and that an individual can concurrently provide DPO services to more than one organisation.
Use of a virtual DPOs, whether full-time or part-time, can help organisations to benefit from the necessary skills while minimising the direct cost to the organisation.
An outsourced DPO must still have a very good understanding of the organisation they're working for, in order to fulfil their duties.
The use of a service contract also has important implications under UK tax law relating to IR35 for third party workers and contractors. Standard employment benefits or restrictions no longer apply.
EU Data protection law mandates that the DPO must fulfil certain obligations and tasks. This includes:
The organisation must not ask the DPO to complete tasks that could result in a conflict of interests. For example, the DPO couldn't define security controls and then carry out their duties to monitor whether those controls are deemed compliant.
The DPO must be in a position to perform their duties and tasks in an independent manner.
The DPO's priorities and level of activity should be based on the underlying level of privacy risk, considering the nature, scope, context and purposes of any processing.
The DPO is required to provide advice and assurance, but is legally not directly or personally accountable for the company's data protection, in the way that a MLRO is for anti-money laundering.
DPOs require quite a multi-disciplinary skill set.
GDPR says they must be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. They must be able to fulfil the designated tasks.
A DPO will require technical skillsets relating to data privacy and data security, including the associated assessment of risks and controls.
Soft skills are also important, in order for them to:
If you have further questions, comments or requirements, please contact us about the virtual DPO.
The information provided on this page is aimed at most companies, most of the time. It should not be taken as definitive advice for your business. Always consult a specialist, like the DataGRC team, about your business.