GDPR – Do you need to appoint a Data Protection Officer (DPO)?
With the imminent implementation of the GDPR, businesses need to assess whether they need to appoint a DPO.
The appointment of a DPO is mandatory for the following organisations:
> Public authorities or bodies (excluding courts).
> Organisations whose core activities involve regular, systematic and large-scale monitoring of data subjects.
> Organisations whose core activities consist of the large-scale processing of special categories of data or data relating to criminal convictions and offences.
Member states may also designate additional circumstances where the appointment of a DPO is mandatory.
The criteria most likely to be applicable to private organisations will be the second: “Organisations whose core activities involve regular, systematic and large-scale monitoring of data subjects”. This will involve an assessment based on volume and range of data processed, duration of the processing activity and geographical extent of the processing. Many organisations have chosen to appoint a DPO voluntarily, particularly where their data processing activities are complex or large-scale.
The role of a DPO is to assist the business in monitoring internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments and act as a contact point for data subjects and the supervisory authority. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
If your organisation decides against appointing a DPO, you should document the rationale for that decision, ensure that it has senior level sign off and retain it with data protection compliance records. Keeping a record of any justification for not appointing a DPO will be important in the event that this is queried by a supervisory authority.