You’ve likely heard a lot about ‘DPOs’ since the GDPR came into force in May 2018. So what is a DPO and what does one do? This blog takes you through FAQs about DPOs.
What is DPO?
A data protection officer is a new position in the GDPR. The DPO reports to the highest level of authority in the organisation and must act independently.
What is the role of the DPO?
The primary role of the DPO is to ensure that the organisation processes the personal data of its staff, customers, providers, or any other individuals, in compliance with data protection law.
DPO tasks include:
- working with the board and senior management on the organisation’s privacy framework
- Inform and advise the organisation about its obligations to comply with data protection laws
- monitoring compliance with data protection legislation and data protection policies, including:
- awareness raising
- training staff
- conducting compliance audits
- providing advice on data protection impact assessments (DPIAs)
- assisting with subject access requests, requests to be forgotten and the other rights of the data subject
- drafting policies and processes
- Being the first point of contact for individuals whose data is processed (employees, customers etc).
- ensuring that data processing agreements are in place with third parties handling personal data.
- undertaking data protection audits
- maintaining a central register of data security breach reports
- investigate, responding to and managing (including liaising with the ICO and any other relevant regulator or law enforcement agency) incidents and breaches or alleged breaches of data protection and privacy legislation
- investigate, responding to and managing (including liaising with the ICO and any other relevant regulator or law enforcement agency) any other complaints or communications relating to data protection, privacy and/or security received:
- from the ICO or any other relevant regulator
- directly from staff, clients and members of the public or
- from any professional representatives.
- providing advice and guidance on any data protection questions, issues or developments
Who needs a DPO?
The GDPR requires the designation of a DPO in three specific cases:
- where the processing is carried out by a public authority or body (irrespective of what data is being processed);
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; and
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
You can appoint a DPO even if you don’t officially need one.
What does ‘core activities’ mean?
‘Core activities’ are your key operations – what you do as a business – so if you need to use data to in your business, then it is a core activity.
Supporting activities, like paying your staff or your IT support, are necessary to run your business but they are not your ‘core activity’.
What does ‘large scale’ mean?
Unhelpfully, the GDPR does not define ‘large-scale.’ Factors are::
• How many data subjects are there?
• What is the volume of data and/or the range of data being processed?
• What is the duration of the data processing activity?
• What is the geographical extent of the processing?
What does ‘regular and systematic monitoring’ mean?
‘Regular and systematic monitoring’ of data subjects is not defined in the GDPR. It means things like tracking and profiling on the internet plus:
• email retargeting
• profiling and scoring for purposes of risk assessment
• location tracking
• loyalty programs
• behavioural advertising
• monitoring via wearable devices
• connected devices
You need to do an assessment to see if you need a DPO. This can be complicated and we can help you – give us a call for a free consultation.
Who can be the DPO?
The UK GDPR says that your DPO should be experienced and an expert in data protection law.
The necessary skills and expertise include:
- expertise in national and European data protection laws and practices including an in-depth understanding of the UK/EU GDPR, the Data Protection Act and the Privacy and Electronic Communication Regulations
- understanding the processing operations carried out
- understanding information technologies and data security
- knowledge of the business sector and the organisation
The DPO can either be a staff member or an outsourced consultant. The DPO has to be independent and reports to the highest level in the business.
However, the DPO can’t be in a conflict of interest position. As a rule of thumb, such positions are senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down if that role is involved with deciding what data to process, why and how that will be done.
We don’t have anyone who can be our DPO. Where do we find an outsourced DPO?
That’s the easy answer! We know how complex regulations such as the UK/EU General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communication Regulations (PECR) can seem.
That’s why we take the time to de-mystify them. So, you’ll know exactly what they mean for your business. We’ll help you identify areas of risk or non-compliance, explain the policies that need to be implemented, and show you how to use your data effectively. We’ll be there for you when you need us the most – when you’ve had a data breach or received a subject access request.
With Sapphire, you will have two points of contact, both of whom know you and your organisation. No call centres here! No having to explain your situation over and over again to different people. We work as part of your team — we know you and you know us.
How much does your outsourced DPO service cost?
Our DPO service costs £135 plus VAT a month. For that fee, you receive one hour of our time to use as you wish, from answering questions and providing advice to reviewing policies or speaking to drafting contracts. You will also receive regular updates on the law and other useful tips and advice via email. Any extra time is invoiced at the end of the month. You can add our name to your ICO registration as your DPO.
The best part of the service is peace of mind —
- Have a marketing query like ‘can I email these people?’. Just ask.
- Need a data sharing agreement? We’ll draft it for you.
- Had a data breach? Call us immediately and we’ll handle it for you.
- Have a subject access request? No problem. Send it over.
- Need advice on a retention period? Just ask.
We are part of your team and here to help you. Without the monthly wage bill for a full-time employee.