Article 37 of the General Data Protection Regulation is all about the ‘designation of the data protection officer’.
What exactly does this mean? What does a data protection officer do, who should they be and is it a requirement to have one?
What is a data protection officer?
A data protection officer is someone who should be aware of all aspects of protecting data. They are the first point of contact if any data requests come into the company, someone who should be made aware and also handle data breaches and someone who is in communication with the ICO (Information Commissioners Office) should anything need to be reported or discussed.
Does our organisation require a Data Protection Officer?
Not necessarily. Mandatory designation of a DPO is only required under three specific cases as stated in Article 37:
- When data processing is carried out by a public authority or body
- When the core activities/purpose of the organisation consists of consistent data processing and monitoring of this data on a large scale
- When the core activities/purpose of the organisation consists of processing of large quantities of data relating to either; ethnic origin, political opinions, religious beliefs, genetic data, data concerning health or concerning a subject’s sex life or sexual orientation
If an organisation does not fall into any of these, it is not legally required to have a DPO and therefore is completely optional. However, if any issues were to ever come up regarding the regulations set out by the GDPR, an external consultant can be used as a DPO.
If it is not mandatory, then the DPO is a voluntary position which can be given to anyone in the organisation. They will still have to be compliant to the same articles and rules as a mandatory DPO.
Who should be the data protection officer?
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Some of these tasks include; informing and advising employees of their obligations, monitoring general compliance to the regulation and acting as a point of contact to the ICO.
Some organisations may only have a few employees so assigning someone with ‘expert knowledge of data protection’ may not be viable. However, if an organisation only has a few employees, it is unlikely they’re required to have a DPO.
Despite this, it is still worth somebody reading up on the GDPR, understanding it, ensuring the organisation is compliant with its regulations and acting as a point of contact for the ICO in case anything was to ever come up.
If you would like more detailed information on Data Protection Officers and Article 37 please check out the following: https://iapp.org/media/pdf/resource_center/WP29-2017-04-DPO-Guidance.pdf