We guide organisations, based within or outside of Europe, to determine if they are required by law to appoint a Data Protection Officer (DPO). Importantly, this obligation extends to both data controllers and data processors, and it will be an offence not to appoint a DPO where one is required.
Does your organisation need a DPO?
Under the GDPR, a DPO must be appointed where a business or organisation is:
- processing large amounts of sensitive personal data (e.g. insurers, healthcare providers, etc.)
- regularly monitoring individuals (e.g. profiling by big data companies, loyalty brand companies, online retail companies, etc.)
- required by Member State law
A DPO must also be appointed by public bodies or authorities. A DPO will be expected to have an expert understanding of data protection law and practices; their appointment may be a standalone role or a part-time responsibility. A group of sister companies may appoint a single DPO, provided that the DPO is easily accessible from each establishment.
Even where an organisation is not required by the GDPR to appoint a DPO, they are likely to decide nevertheless to appoint one – given the strategic and important nature of data and the proper management of data in their businesses. This will often be the case with data processors who, in order to win and retain customers, will need to assure those customers of their ability to manage their critical and valuable data.
Selecting a Data Protection Officer
We support organisations to select a DPO, whether they choose to make a new appointment on a full-time basis or by tasking a current employee to take on the role on a part-time basis. Where a current employee takes on a dual role, it will be necessary to ensure that their existing role is compatible with his/her new duties as DPO, and does not result in a conflict of interests.
We can provide ongoing support, one-to-one mentoring and training to in-house DPOs in their challenging roles. We can act as an invaluable support for in-house DPOs – a DPO “Buddy”. We can help with one-off or specific projects, for example, conducting a Privacy Impact Assessment for a new product/service, or assisting with a response to a Data Subject Access Request. Alternatively, we can offer ongoing support on a retainer basis.
We can also act as an interim DPO when an in-house DPO is on leave or if there is short-term vacancy.