Data protection officers

Under the Part 3 of the Act, you must appoint a data protection officer (DPO) unless you are a court, or other judicial authority acting in a judicial capacity.

You may appoint a single data protection officer to act for a group of controllers, taking into account their structure and size.

Regardless of whether the UK GDPR or Part 3 of the Act obliges you to appoint a DPO, you must ensure that relevant staff have sufficient skills and expertise to discharge your obligations.

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Part 3, Chapter 4 of the Act:

• to inform and advise the controller, its employees, and any associated processors about their obligations to comply with the UK GDPR and other relevant data protection laws such as Part 3 of the Act;
• to monitor compliance with data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits; and
• to be the first point of contact for the Information Commissioner and for individuals whose data is processed (employees, customers etc).
  

What does the Part 3 of the Act say about employer duties?

You must ensure that:

• the DPO reports to the highest relevant management level of your organisation – ie board level;
• the DPO operates independently, and is not dismissed or penalised for performing their task, however a DPO can still be dismissed or penalised for misconduct or negligence relating to their task; and
• you provide adequate resources to enable DPOs to meet their obligations under UK GDPR or Part 3 of the Act.

Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

You can also contract out the role of DPO externally.

Does the DPO need specific qualifications?

The UK GDPR or Part 3 of the Act does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.