By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Notice for more information.
Data Protection

Do you need a DPO?

February 6, 2023
5 min read

Assuming that your organisation is not a public authority or body (as you must have a DPO), then these are the first tests to see whether you need a Data Protection Officer:

  • monitoring data subjects regularly and systematically
  • processing special categories of data
  • processing information relating to criminal conviction or offences

What constitutes a ‘core activity’ and ‘large-scale’ will depend on your context, the nature of the data you are processing and many other factors. It’s too big a topic for this article.

The data protection challenge

Perhaps none of the above apply so you don’t need a DPO right? Well, it’s not that simple either. The list above determines when you must appoint a DPO. However, the guidance under the GDPR is clear: where risks to privacy exist then you should still appoint a Data Protection Officer.

At this point see two different reactions to the notion of appointing a DPO. Let’s deal with them in turn.

The progressive view recognises the value of protecting personal data, as such the appointment of a DPO is seen as an investment in building trust with your customers, stakeholders and employees. If this is you, then you’ll be thinking how to turn data protection into a competitive advantage and how not to let a significant data breach ruin your hard earnt brand reputation. For you, hiring a DPO is a must regardless of whether it’s mandated or not.

The regressive view is that the GDPR is just another piece of red tape that’s getting in the way of doing business and adding costs that reduce your bottom line. In this case, the DPO role is seen as simply another expense to be minimised where possible. You’ll be trying to find reasons not have a DPO.

Whichever your view you identify with the most, the practical nature of processing personal data means that most organisations now need a DPO to support them in their day-to-day operations. Here are just some of the tasks that require the support of a professional Data Protection Officer:

  • creating and updating relevant policies, standards and procedures
  • supporting you on identifying and addressing data protection risks
  • answering day-to-day data protection queries escalated from managers
  • keeping mandatory data processing records
  • shaping awareness and training materials
  • monitoring data protection compliance
  • guidance on implementing Data Protection by Design and By Default
  • determining when you need to conduct a Data Protection Impact Assessments (DPIA)
  • assisting the investigation and handling of personal data breaches
  • handling data protection complaints and claims
  • liaising with the Information Commissioner’s Office and other regulators

Your next step will be to decide who to designate as your DPO. Due to the legal requirements it’s extremely unlikely that an existing member of staff would be deemed suitable for the role. Your options will be to hire a full-time salaried senior member of staff or to engage the services of an external Data Protection Officer. We have written an article discussing who can be a DPO.

How can we help you?

Get in touch and find out how we can help you achieve your goals