Data Protection Officer (DPO)

Written by Rose Miller on 20/07/2018

Personal data and GDPR

With almost everything we do online relying on inputting some form of personal data, we leave behind a trail of this sensitive data on a near daily basis. This data is always at some form of risk and, if not properly secured, can be used for a variety of different malicious purposes. But what happens to the endless amount of personal data we submit into the ether?

Personal data is stored and processed by practically every company, for a number of reasons. In most cases, it’s kept and processed in order to fulfil contractual obligations, like delivering services to end users and for HMRC record keeping. However, before May 25th, 2018, a lot of companies would also use this data for unrestrained marketing campaigns. Less reputable organisations would even sell it to advertisers or analysts. However, since GDPR came into effect, the rules have become a lot stricter. There are now numerous laws dictating what can and can’t be done with personal data, the situations where it can legally be obtained, and how such data must be protected, transferred and processed. A data subject’s rights have been set out in clear terms, as have the responsibilities of the data controllers and processors.

One such result of these laws is the emergence of the DPO or Data Protection Officer. GDPR mandates that certain types of organisation must have a DPO, and the UK’s Information Commissioner’s Office (ICO) recommends that every single organisation appoints someone who takes responsibility for personal data. But what is a DPO? What do they do? Why do you need one? Well, get yourself comfortable and we shall explore these questions together.

GDPR mandates that certain types of organisation must have a DPO, and the UK’s Information Commissioner’s Office (ICO) recommends that every single organisation appoints someone who takes responsibility for personal data

What is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is an advisory role concerned with the security of personal data. They oversee data protection strategy and implementation in order to maintain good security of personal data and ensure compliance with GDPR legislation. A DPO will be the single point of contact for all matters relating to personal data, particularly in the case of a data breach.


What are a DPO’s responsibilities?

A DPO’s responsibilities include informing and advising data processors, data controllers and any employee involved in the handling of personal data, highlighting their individual obligations under GDPR. A DPO must monitor compliance with the regulation across an organisation. This will include identifying and analysing all processing activities and highlighting problematic areas. A DPO will ensure that all the relevant safeguards are in place to protect personal data and assign the relevant roles to staff, as well as providing advice and training where required. They will also oversee the conducting of data protection impact assessments (DPIAs) and monitor their performance.

A Data Protection Officer will liaise and cooperate with the relevant regulatory authority (the ICO in the UK), particularly in the event of a data breach. Similarly, the DPO will act as a single point of contact for all enquiries and requests from data subjects.


What qualifications does a DPO need?

There are no specific qualifications required to be a Data Protection Officer. Providing their role doesn’t present a conflict of interest, any member of staff can be appointed the position.

However, the DPO must have experience in the subject and ideally in data protection law too. It’s recommended that your chosen DPO have an in-depth knowledge of your industry sector, as they will be more aware of the type of data held and the processing methods in place and subsequently, the level of protection required.

A DPO will liaise and cooperate with the relevant regulatory authority, particularly in the event of a data breach

Why does your company need a Data Protection Officer?

Unless your company or organisation is a public authority or body, relies on the systematic processing of personal data on a large scale, or processing large amounts of data that can be defined as ‘special categories’, you are not legally required to appoint a DPO. However, all regulatory bodies advise one is appointed anyway, regardless of your business activities.

Failing to adhere to the rules set out by GDPR can result in hefty fines, with the first tier being anything up to €10 million or 2% of annual global turnover, depending on the circumstances. As no company would want that, it makes sense to appoint someone to oversee the management of personal data and ensure that everything is maintained to the strict standards set by the legislation.

Furthermore, under Article 33 of GDPR legislation any breach which poses a risk of causing harm to the data subject or their fundamental rights must be reported to the regulatory body within 72 hours of it being known. How the breach occurred, the number of people affected, and the amount and type of data concerned must also be reported, along with a remediation plan. Without a DPO, this information may be hard to obtain, relying on several different departments giving different information. Whilst a single person must take responsibility for data protection regardless of whether a DPO is appointed, this person may not have all the information required in the event of a breach.

A dedicated DPO or a member of staff carrying out these duties will make the process a lot smoother and will emphasise a level of transparency. If, due to miscommunication or poor data management you are unable to satisfy the regulator, then your company will be put at unnecessary risk.


Are we a public body or authority?

There is currently some confusion as to the exact definition of a public body or authority. For example, schools, government departments, local governments, police forces, the NHS, the armed forces, and regulatory bodies could all be considered public bodies.

Some privately-owned businesses which provide services on behalf of public bodies may also be subject to the requirements of a DPO, but only in regard to data processed relating to that body. For example, private medical practices, or privately-owned pharmacies that provide NHS services.


Data Protection Officers’ GDPR requirements

As briefly mentioned earlier, a DPO is necessary if you are an organisation whose core activity is "monitoring individuals regularly and systematically on a large scale.” Like a lot of government legislation, this is frustratingly vague.

For starters, what constitutes as ‘large scale’ is not defined throughout GDPR. This is not to say that as time progresses we won’t see a minimum figure introduced, but for now, it is very much a judgement call. It’s recommended that the following factors are taken into consideration:

  • The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

Core activities

Core activities is another difficult one. Loosely defined, your core activities can be considered as any task carried out to achieve your overall goal. Whilst at first you may think that your core activities do not involve the processing of personal data, in some instances, it’s more complicated than it seems. For example, a private security company’s core activities would be to provide security for their clients in terms of alarms and surveillance systems. If such a company were to provide CCTV to places open to the public, such as a shopping centre, then as part of their core activities, they would be processing large amounts of personal data and would therefore require a DPO.

Regular and systematic

This is another aspect of the GDPR legislation that is not well defined. Regular and systematic monitoring would apply to all forms of tracking and profiling on the internet in order to analyse behavioural patterns for advertising, but wouldn’t necessarily stop there.

The Data Protection Working Party defines regular as:

  • Ongoing or at particular intervals
  • Recurring at fixed times
  • Constantly or periodically taking place

Whereas they define systematic as:

  • Occurring according to a system
  • Pre-arranged, organised or methodical
  • Taking place as part of a general plan for data collection
  • Carried out as part of a strategy

All these definitions are still fairly vague. It becomes clear why regulators advise a DPO is appointed whether you need to have one or not. Aside from promoting better data security, it simply makes things easier.

Failing to adhere to the rules set out by GDPR legislation can result in hefty fines

Benefits of employing a full-time DPO

As previously mentioned, an existing member of staff can be appointed a DPO. This may work for smaller companies, but it is rarely recommended. For starters, you need to ensure that their day-to-day job does not present a conflict of interest with their duties as a DPO. This can be rather broad and difficult to define. An example would be someone in a marketing position, as they’re likely to be the ones deciding what to do with any stored personal data. Likewise, a member of the IT department is not a good choice, as they’ll likely be the ones deciding how data is stored and processed.

Under GDPR, the data subject (that’s the people who personal data is about) have considerably more rights. For example, the right to rectification. If you are storing personal data that is incorrect, the data subject may contact you and request it be changed. You would be obliged to make those changes in a timely manner. They also have the right to request that their data be erased. Assuming you’ve no legal obligation to keep it, or do not require the data to fulfil your contractual obligations, you must fulfil this request. These requests, along with the numerous other duties of the DPO, makes trying to balance this along with another role incredibly demanding.

Having a dedicated, full-time DPO may be beneficial despite the significant annual wage cost. Not only can this chosen person fulfil requests from data subjects (and remember this includes employees too), but they can devote more time to data and process mapping and improving security and processes in order to avoid breaches.

Should a breach occur, this person will already have most of the necessary information and can easily liaise with other departments to obtain more in order to offer the regulator a comprehensive report of the situation.

Employees will also have a familiar face with whom they can consult regarding their own personal data or pass on questions from external sources. Being based in the office and knowing the business inside and out can help the DPO fulfil their obligations with greater efficiency.


Benefits of outsourcing DPO services

Many companies are offering an outsourced DPO service in light of GDPR and there are numerous benefits to choosing this option. First and foremost, it is often a more cost-effective solution. Your chosen DPO does not have to be in the office from nine till five, five days a week. In fact, you may find that you’ll only need the skills of a Data Protection Officer for a number of hours every month, in which case outsourcing this role makes perfect sense.

When outsourcing this role, you will be able to choose how much time the DPO is required each month and then pay for that time alone.

You will also have access to a DPO who is completely independent of the business and therefore, there is no risk of a conflict of interest, and they can provide purely objective advice. Not only that, they will already be experts on data protection and know the ins and outs of GDPR.

Having worked with a number of companies, the chances are an outsourced DPO will already have experience of dealing with a data breach and will therefore have a plan ready to go should you need it. They will certainly know the best way to go about collating all the data needed and how to present this to the regulator.


Costs of outsourcing a DPO

The cost of an outsourced DPO will very much depend on the size of the business and the number of contact hours agreed:

Data Protection Officer costs
Business Size DPO Time & Delivery Cost Range
Small (< 20 employees) Generally, four hours per month will be enough for a small business. Virtual delivery, with onsite visits once a quarter, is typically the best way to deliver this level of DPO service. From around £600 pcm
Medium (21-200 employees) We usually find that 1 day per month is enough for most medium businesses, though more may be required if your organisation is data-heavy or with multiple offices. On-site delivery is recommended. From around £1,000 pcm
Enterprise For larger companies that work across multiple sites and sectors, a bespoke package will be required. With more DPO time being required, a mixture of on-site and off-site delivery will generate best results. Depends on requirements

Summary

Whether you are legally obligated to appoint a Data Protection Officer or not, there has to be someone who takes charge of personal data and its protection within every business holding data on EU/UK citizens. Having a dedicated DPO can alleviate the stress of having to maintain GDPR compliance along with seeing out other duties. It is a varied, time-consuming role which will be invaluable for protecting your business. Fines aside, a data breach or poor data management can have serious reputational impacts and any data subjects affected by the breach can make separate damage claims.

Be sure to make an informed decision when it comes to selecting your DPO. Whether you appoint a member of staff, hire a dedicated DPO or plan on outsourcing this role, be sure to go for an option that best suits your business.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.