Article 37 of the General Data Protection Regulation is all about the ‘designation of the Data Protection Officer’.
What exactly does this mean? What does a data protection officer do, who should they be and is it a requirement to have one?
What is a Data Protection Officer?
A data protection officer is someone who should be aware of all aspects of protecting data. They are the first point of contact if any data requests come into the company, someone who should be made aware and also handle data breaches and someone who is in communication with the ICO (Information Commissioners Office) should anything need to be reported or discussed. The role of the DPO is discussed in more depth in this article from the ICO.
Does our organisation require a Data Protection Officer?
Not necessarily. Mandatory designation of a DPO is only required under three specific cases as stated in Article 37:
- When data processing is carried out by a public authority or body
- When the core activities/purpose of the organisation consists of consistent data processing and monitoring of this data on a large scale
- When the core activities/purpose of the organisation consists of processing of large quantities of data relating to either; ethnic origin, political opinions, religious beliefs, genetic data, data concerning health or concerning a subject’s sex life or sexual orientation
If an organisation does not fall into any of these, it is not legally required to have a DPO and therefore is completely optional. However, if any issues were to ever come up regarding the regulations set out by the GDPR, an external consultant can be used as a DPO.
If your business does not require a DPO you should still have an assigned member of staff to deal with any data protection or GDPR related queries. They could have the title/role (in addition to their existing role in the business) of Data Protection Manager or Privacy Manager. They would be required to manage the processes of dealing with data breaches, any subject access requests and assist the business with any other data protection or GDPR related activities. This would distinguish them from a fully-fledged DPO, who would be required to have a deep understanding of GDPR and professional experience and knowledge of data protection law, whilst ensuring that you have clear authority and accountability within the business.
Who should be the data protection officer?
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Some of these tasks include; informing and advising employees of their obligations, monitoring general compliance to the regulation and acting as a point of contact to the ICO.
Some organisations may only have a few employees so assigning someone with ‘expert knowledge of data protection’ may not be viable. However, if an organisation only has a few employees, it is unlikely they’re required to have a DPO.
Despite this, it is still worth somebody reading up on the GDPR, understanding it, ensuring the organisation is compliant with its regulations and acting as a point of contact for the ICO in case anything was to ever come up.
If you would like more detailed information on Data Protection Officers and Article 37 please check out the following: https://iapp.org/media/pdf/resource_center/WP29-2017-04-DPO-Guidance.pdf