GDPR and the role of the Data Protection Officer (DPO)
“We have an opportunity to set out a
new culture of data confidence in the UK”
What is a Data Protection Officer?
A data protection officer (DPO) is an organisation leadership role required by the General Data Protection Regulation (GDPR). DPOs are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
The DPO should:
- Provide advice and guidance to the organisation and its employees on the requirements of the GDPR Monitor the organisation’s compliance.
- Be consulted and provide advice during Data Protection Impact Assessments.
- Be the point of contact for data subjects and for cooperating and consulting with national supervisory authorities, such as the Information Commissioner’s Ofﬁce.
- DPOs should also take responsibility for carrying out data audits and oversee the implementation of compliance tools.
- The DPO must be able to act independently, be adequately resourced and be able to report directly to senior management to raise concerns.
There are three speciﬁc criteria around the requirement to appoint a DPO:
- Where the processing is carried out by a public authority or body.
- Where the “core activities” of the controller or processor consist of processing operations which require regular and systematic monitoring” of data subjects on a “large scale”; or
- Where the “core activities” of the controller or processor consist of processing on a “large scale” of “special categories of personal data”.
The requirements apply to both controllers and processors.
GDPR Article 29 suggests that “core activities” should include activities where the processing of data forms an inextricable part of the controller or processor’s activities. For example, a hospital’s or GP practice’s core activity is the provision of health care, which requires processing of special category personal data such as health records. The hospital or practice therefore must appoint a DPO – this can be an individual or an external service. Conversely, processing such data for payroll and employment purposes would be ancillary to an organisation’s core activities.
When considering whether processing is “large scale”, the WP29 recommends that organisations consider duration and scope (in terms of volume of personal data and data subjects). For completeness, monitoring includes more than just online monitoring. Much of this will not apply to the GP practice but includes data-driven marketing, credit scoring, location tracking, CCTV, and using data from connected devices such as wearables, smart meters, and home automation.