Is an organisation legally required to appoint a data protection officer? Not always. Regardless, should your organisation appoint one anyway? That’s the real question. In this article, we discuss whether a GDPR data protection officer is an essential hire.

In order to meet their data protection requirements under the GDPR, organisations need expert advice and guidance. A data protection officer (DPO) is the best person to deliver it, but are they really an essential hire?

The answer’s yes in complex cases, and all of the time if Article 37 makes the appointment of a DPO mandatory to your organisation.

Mandatory DPO

The GDPR places a legal duty on organisations to appoint a DPO in certain circumstances. These circumstances relate to the type and scope of the organisation’s processing activities.

You are required to appoint a DPO if:

  • You are a public authority or body, except if you are a court acting in your judicial capacity;
  • Your organisation’s core activities require regular and systematic monitoring of individuals on a large scale. Examples here include web analytics, online behaviour tracking, marketing surveys;
  • Your organisation’s core activities involve processing on a large scale ‘special categories’ of personal data. Examples here include race, ethnic origin, religion, health, politics, sexual orientation.

These requirements apply to both controllers and processors, and “core activities” are defined as “the primary business activities of your organisation”. “Large scale” is a variable term but when determining if it is the case, the number of data subjects concerned, and the volume of personal data being processed must be considered.

Non-mandatory DPO

Organisations who are not legally obligated to appoint a DPO may do so anyway, and organisations of all sizes are choosing to do so to help meet their compliance requirements under the GDPR. This might surprise you, but the benefits to appointing a DPO are so great that many organisations see them as an essential hire.

The benefits to appointing a DPO

With the above in mind, there are three benefits to appointing a DPO:

Guidance: the DPO can guide you through the complex legalities of privacy regulation. They will help protect your organisation’s interests, and although they cannot actively set your policies, they will steer them to compliance and recommend the right action. It should be said that the DPO is not responsible for compliance because they do not make decisions. It remains your responsibility to comply with the GDPR.

Ongoing advice: as your core activities change along with your business model, your data protection policies have to keep up to stay compliant. The DPO will continue to play a crucial role in helping you fulfil your organisation’s data protection obligations, which will be worth its weight in gold. In some ways, the role of the DPO can be thought of as a regulator who’ll be working with you to keep your business in line.

Accountability: this is one of the core principles of the GDPR. It puts a specific obligation on every organisation to be able to demonstrate they are complying with the Regulation and its principles. You must put in place measures to meet the requirements of accountability, and one of the measures you can take is appointing a DPO. This is so because the role of a DPO is to advise you and help you meet your GDPR requirements.

An essential hire for all?

While some organisations have simple legal requirements to fulfil under the GDPR, others have a complex data protection policy to fulfil. Appointing a DPO can help these organisations create a robust, GDPR-compliant data protection policy, and ensure that they continue to meet their ongoing requirements.

Appointing a DPO is also a sure-fire way for organisations to demonstrate their accountability, which is a key principle of the GDPR. This requires the organisation take responsibility for what they do with their personal data and be able to demonstrate that they are complying with the GDPR at all times.

The reason a DPO is so effective in these cases is because the tasks of the DPO are clearly defined in Article 39 of the GDPR. Here’s what the Article says:

Thanks to these clearly defined tasks, it is easy for organisations who are not legally obligated to appoint a DPO choose if appointing one anyway would benefit them. In many cases, the answer to that question is yes.

Appointing a DPO

You can appoint an existing employee as your DPO if their professional duties are compatible with the DPO role and there is no conflict of interest. You can also hire a DPO as an employee, but only if there is no conflict of interest.

Most organisations appoint a DPO externally, which means bringing in a contractor to fulfil the role. You are free to do this based on a service contract. If you do this, you should ensure the individual/s have a good working knowledge of European data protection law.

If your organisation has a number of trading companies, you can appoint a single DPO to cover the group. However, they must be able to perform their duties adequately and you must consider if one DPO is realistically enough. If DPOs are appointed thinly across a large organisation, this will make their position impossible.

Whether you are legally required to appoint a DPO or not, if you choose to do so their defined tasks stay the same. Also, you will have to support the DPO fully and you will have a commitment to them. The ICO states you must ensure:

Should I appoint a DPO?

If there’s no legal need for you to appoint a DPO, you’re free not to appoint one. But you must still ensure you have the staff and resources to discharge your obligations under the GDPR. For this reason, most organisations see the DPO as an essential role because they do help them meet and discharge their obligations.

Small businesses with few employees that do not collect large amounts of data will have simplified requirements under the GDPR. In this instance, appointing a DPO might well be overkill. A good data protection policy would likely satisfy accountability requirements here, and as the business grows, this could be revisited.

Thus, it is advisable you consider the scope of data you’re collecting and your current requirements under the GDPR before deciding if appointing a DPO is the smart thing to do.