window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6'); window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');

What is a Data Protection Officer

Fundamentally, the role of the Data Protection Officer (DPO) is to be responsible for reviewing and monitor the organisations data privacy and to advise the organisation accordingly.

The EU GDPR (General Data Protection Regulation) and the UK Data Protection Act 2018 does not require all organisations to have a data protection officer. If you are a global organisation, or an organisation that transfers personal information outside of the UK / EU borders then a data protection office is recommended. With increased data protection laws coming into force in many countries having a data protection office is becoming more important.

  • To inform and advise the controller, processor, senior management, and employees of the organisation
  • To monitor the compliance of the regulation and to advise the organisation
  • Monitor the data protection responsibilities within the organisation
  • Monitor the training of the staff
  • Provide advice and recommendations on the data protection policies and procedures
  • Provide advice on Data Protection Impact Assessment (DPIA)
  • Communicate and cooperate with the Supervisory Authority
  • Point of contact for the data subjects
  • Act as the contact point for the Supervisory Authority
  • Be registered with the Supervisory Authority

When must you appoint a Data Protection Officer?

There are different requirements for appointing a DPO depending on the applicable data protection law. Datahub can advise on specific laws across the world, and if there is a requirement to appoint a DPO. But for EU GDPR and the UK Data protection Act (DPA) 2018 it’s not always required to have a DPO in place.

Statutory Appointment

EU GDPR and the UK Data Protection Act 2018 states, you must appoint a DPO if you carry out any of the following:

  • If you are a public authority or body (except for courts acting in their judicial capacity);
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Voluntary Appointment of a DPO

If there is no statutory requirement for you to fulfil the role of a DPO then the choice is up to the organisation. All organisations that process personal information of data subjects are required to maintain a level of compliance to safeguard the data of the data subjects. For this reason, most organisations do have a DPO in place. Datahub would always recommend the appointment of a DPO for their knowledge and guidance on the law. Also, the law can change over time and having a DPO in place can advise the organisation accordingly.

You can read more about appointing a DPO on the ICO website.
The Information Commissioners Office (ICO) is the UK Supervisory Authority.

What are the benefits of DPO as a service?

When the DPO is non-statutory then you would need to weigh up the benefits. There are two options to consider. You can get an employee to do the role, but you also have the option to appoint a third-party consultant into the role. The key factors when looking at these are:

Cost

If the role is to be filled internally then would any current staff have the knowledge and ability to fulfil the role. If a new person were to come into the business, there would be a high cost to the business.

With an external consultancy there is a fixed monthly fee, and you know the cost up front and can budget for this. In majority of the cases, it would be more cost effective to use an external consultancy.

Professional Qualities

The DPO will possess the qualities to fulfil the role as DPO.

This will include confidentiality, DPO’s knowledge, also their ability to fulfil the designated tasks. (Article 37(5), Article 38(5))

Conflict of Interest

Organisations that use an internal person for the role of DPO will have to make sure that there is no conflict of interest that may impact the role. This is one of the benefits of using a consultancy as the DPO. If the DPO services are with a consultancy, then this provides an independent, non-bias approach, with the assurance of no conflict of interest.

The EU GDPR states that “The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” (Article 38(6))

Availability

When appointing a DPO, availability needs to be considered. If you appoint an internal person to the role, then in most cases they will be in a share role. In that the employee has a current role and the tasks of the DPO are added to the persons job role. If this is the case, then consideration would need to be made to the time allocated to the tasks of the DPO.

If you use an external consultant, then this time management is managed by the consultant. But you will get the required availability of the DPO.

Useful Articles from the EU GDPR regarding the Data protection Officer.

Article 37 Designation of the data protection officer
Article 38 Position of the data protection officer
Article 39 Tasks of the data protection officer

The articles mentioned above are from the Regulation (EU) 2016/679 “EU GDPR”.

Datahub DPO Services

We realise that all customers are not the same and have different Data Protection Officer requirements.

For this reason, our services and pricing are tiered so that we have a package for all organisations. From Level 2 and above you get a dedicated expert that will work with you, understand your individual needs, and integrate into your organisation.

Level 1

Our Level 1 service allows you to have telephone support from our experts. This would be best level if you have an internal compliance person who may need support.

Level 2

Our Level 2 service is for any small organisations. Providing you with up to 2 hours of time per month with your dedicated expert, plus telephone support.

Level 3

The Level of service for small & medium sized organisations, provides you with up to 4 hours per month with your dedicated expert, plus telephone support.

Level 4

Our Level 4 service for medium to large organisations, provides you with up to 8 hours per month with your dedicated expert, plus telephone support.

Level 5

The Level 5 service for larger organisations, provides you with up to 12 hours per month of professional time with your dedicated expert, plus telephone support.

Level 6

Tailored services for your organisation, which can be a fully customised approach to your management of data protection.

Find out how we can help

We have a team of experts that can help you with Data Protection, Data Protection Officer services, or Cybersecurity. Please contact us to arrange an initial conversation.

Contact us