In order to comply with this requirement, it is necessary to understand how the appointment should be made; the tasks and responsibilities that the appointed individual will assume; and, the ongoing support that must be provided to the DPO by the authority.
In summary, the DPO must:
Any 'public authority or body' must appoint a DPO. These terms are not defined in the GDPR, but guidance from the Information Commissioner's Office (ICO) is that if you are a public authority as defined under the Freedom of Information Act 2000, it is likely that you will be a public authority for the purposes of the GDPR.
If you are unsure whether your organisation is a public authority for these purposes, please get in touch with us.
The GDPR does not specify the precise credentials that a DPO must have. However, it does require that they should have appropriate professional experience and expert knowledge of data protection law.
The level of experience should be proportionate in light of the organisation’s activities, but 'expert' is a fairly high threshold. ICO Guidelines state that sensitivity, complexity and the amount of data processed within an organisation will impact the expertise required for a DPO and a sufficient understanding of operations, as well as information systems, data security and data protection needs of the controller is recommended.
For many organisations, it will be challenging to find an existing employee who satisfies the requirements of being a DPO. This may mean that such organisations have to engage outside consultants, at potentially significant expense. Further, care should be taken if allocating the role to an existing member of staff to ensure the requirement for independence is not compromised.
The ICO Guidelines clarify that a single DPO can be appointed for a corporate group (or several entities within a group) provided that he or she is easily accessible from each business location for which he or she is responsible. This is a welcome development for organisations, but it will be important to ensure that such a DPO is provided with sufficient resources to perform the role.
The GDPR sets out a non-exhaustive list of tasks that a DPO must carry out. As a minimum, the DPO must:
The GDPR sets down a number of ways in which an organisations are required to provide support to their DPO. You must ensure that the DPO:
If at any time you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.
You must publish the contact details of your DPO and provide them to the ICO. This is to enable individuals, your employees and the ICO to contact the DPO as needed. You aren’t required to include the name of the DPO when publishing their contact details but you can choose to provide this if you think it’s necessary or helpful.
Finally, it is important to remember that the DPO isn’t personally liable for data protection compliance. The public authority remains responsible for GDPR compliance. Nevertheless, the DPO clearly plays a crucial role in helping you to fulfil your organisation’s data protection obligations.
The GDPR creates an explicit requirement for public authorities to appoint a Data Protection Officer. This applies to both controllers and processors.
You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO, however, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
Organisations subject to this requirement should ensure that they understand how to a go about making the appointment, the tasks and responsibilities that will be assumed by the DPO and the duties to provide the DPO with support.