Data Protection Officers – who needs them?

It’s been almost 5 years since the GDPR came into force. Most people are aware of the basic obligations under new data protection laws and have come across the term “data protection officer” (DPO) before, but what is a DPO, who needs one, and how can appointing a DPO benefit your business?

What is a Data Protection Officer?

The role of “data protection officer” is a statutory one – the GDPR sets out the requirements for appointing and engaging a DPO as well as the mandatory tasks that a DPO must carry out (Articles 37 to 39, if you’re interested).

A DPO is an independent expert that assists a business with its compliance with data protection laws. The three key functions of a DPO are:

  • to monitor the business’ compliance with data protection laws and with the business’ own internal policies on data protection;
  • to inform and advise the business on its legal obligations under data protection laws; and
  • to act as a point of contact for the supervisory authorities (such as the ICO in the UK) and data subjects.

It is a legal requirement, and also vital in practice, that a DPO is an expert in data protection law and practices. This means that they should not only have an excellent working knowledge of data protection laws, but also the experience to put that knowledge into practice to manage compliance efforts across the business.

Are you legally required to have a DPO?

Whether or not you legally require a DPO will usually depend on the nature of your business (the exception being public authorities, which always require a DPO).

For private entities, a DPO is a legal requirement where the core activities of the business involve:

  • regular and systematic monitoring of data subjects on a large scale; and/or
  • the processing of “special categories” of personal data (or data about criminal convictions and offences) on a large scale.

The vast majority of businesses will collect minimal, if any, data about criminal convictions and offences – this is generally prohibited in the UK unless there is a specific legal right or obligation to do so.

However, many businesses will process large amounts of special category data (see below) and/or conduct regular and systematic monitoring of data subjects – online profiling for targeted adverts is likely to check that box (and let’s be honest, you probably do that, don’t you?).

Special Categories of Personal Data

Racial or ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic and biometric data

Data about health

Sex life or sexual orientation

What if you don’t legally require a DPO?

Every business should (I’d go so far as must) have an individual, or a team, responsible for implementing and monitoring GDPR compliance.

Privacy should be built into every area of your business from the ground up – this is the notion of “privacy by design”. Whenever you start a new project that involves the use of personal data, there should be someone within your business involved in that process who knows the law, has the experience to anticipate potential risks, and who has sufficient authority within the business to ensure that good data practices are implemented and followed.

If you’re not legally required to appoint a DPO, there is nothing stopping you from appointing one voluntarily – a DPO can be a driver for positive change in many businesses and the impact of a good data protection regime across your operations can help to build customer trust and bolster your reputation.

If you do not want to appoint a DPO for a any reason (for example, you may feel that the strict independence afforded to a statutory DPO is not necessary in the context of your business), equally, you can appoint a non-statutory “data protection compliance officer” to carry out effectively the same role as a DPO without the statutory requirements.

Having an expert available to guide you on your compliance journey is a must-have for all businesses. If you’re not legally required to have a DPO, then what you call that role is up to you.

What’s the benefit of having a DPO?

See our logo up in the top left? RISK. That’s what this is all about. Failing to implement good data protection practices across your business represents a significant risk in a number of areas, and the primary benefit of having a DPO (or a similar non-statutory role) is to enable you to reduce that risk.

Everyone has heard about the maximum fines under the GDPR (£17.5m or 4% of worldwide annual turnover if greater, in the UK), but that’s just the tip of the iceberg.

Regulatory Risk

First and foremost, there is the risk of enforcement action when you get data protection compliance wrong. The ICO and other supervisory authorities have the power to enter your premises to conduct audits, to require you to provide information or take certain actions as well as issuing eye-watering fines for serious breaches.

Good internal practices and policies can help to reduce that risk, and good data governance and organisation can make your job much easier when it comes to complex processes like handling large subject access requests. Your DPO can help to implement policies and put those processes into place.

Reputational Risk

Enforcement action is a road that no business wants to travel, but a profitable business will at least recover from a hefty fine. However, the reputational damage than may be caused by poor privacy practices or serious data breaches or cyberattacks can be harder to recover from – particularly if the media get their mitts on the story.

This Centrify study reported that a whopping 65% of consumers affected by a data breach claimed to have lost trust in the organisation in question, not to mention 5% of public companies’ stock price being immediately wiped following disclosure of a data breach. This study is a few years old now, but I can imagine those figures would look even more alarming today as public awareness and media coverage of data protection matters have skyrocketed in recent years.

Much as the best offence is a good defence, the best way to avoid reputational damage in this way is to put systems and processes in place to prevent breaches from occurring in the first place – this is where your DPO comes in.

Commercial Risk

A failure to follow good data protection practices can have a significant impact on a business’ internal operations, before the authorities or your customers ever become involved.

Applying good information security practices to all of your data (not just personal data) can help to reduce the risk that you lose information that is vital to your business. Whether it’s intellectual property, trade secrets or critical know-how, try to imagine for a moment what you would do if you lost that data – or, worse, if it were held to ransom in a cyberattack.

Badly organised company data and inefficient processes are likely to cause you to rack up the time and costs needed to deal with any issues that arise so good data management practices can have significant financial benefits, and one area that many businesses overlook is supply chain assurance – good luck winning that public sector contract if you can’t demonstrate your ability to ensure the security and integrity of personal data.

A good DPO will oversee data management across the business from governance (top-down) to day-to-day operations (bottom-up), and the benefits of good practice will seep into every area of your business.

Remote DPO Services

Finding a good DPO is difficult. There are relatively few experts out there to choose from, and engaging a full-time DPO in-house is cost-prohibitive for many businesses.

Risk Deputy provides a Remote DPO service which we believe offers the perfect middle ground for many businesses. A fixed monthly cost gives you budget certainty and flexible plans mean that you only need to pay for the level of support you require, and you get the benefit of our years of knowledge and practical experience from private legal practice. This service can be provided as a statutory or non-statutory role, depending on your business requirements.

Engage us as your DPO, and let us take care of GDPR compliance.

Share this article
Will Eggleston
Will Eggleston