How many of us receive marketing calls for products and services we did not sign up for? Or emails to our junk folder (sometimes, even making it to our inbox), with advertisements we do not want? Our personal data, such as our email addresses and mobile numbers, is a highly valuable asset, so much so that it can be sold to third parties, hence all of the unwanted contact.
In an era where personal data is this valuable, safeguarding individual privacy has taken centre stage in the legal landscape. The introduction of comprehensive data protection regulations, such as the UK General Data Protection Regulations (UK GDPR), has prompted organisations to adopt robust mechanisms to ensure compliance. A key player in this compliance system currently is the Data Protection Officer (DPO). This article delves into the role DPOs currently play in navigating the complex terrain of data protection laws and how this role will change in the future with the new Data Protection and Digital Information Bill.
What is the role of a DPO?
A DPO is a designated individual within an organisation who is responsible for overseeing and ensuring compliance with data protection laws and regulations. The role is multifaceted, often encompassing tasks related to acting as a liaison between the organisation and authorities, such as the Information Commissioner’s Office (ICO).
The primary role of a DPO is to ensure that an organisation processes the personal data of its staff, customers, and any individual it processes personal data on, in a way that is compliant with data protection laws. This will include making sure the organisation’s staff are trained on all relevant obligations in the UK GDPR and the Data Protection Act 2018.
A DPO will continuously monitor an organisation’s activities to ensure these align with data protection laws. This may involve carrying out regular audits, risk assessments and compliance checks.
An important point to keep in mind is that a DPO must be independent and should report to the highest management level in an organisation. This is set to change in the future as detailed below. The organisation should not direct the DPO on how to fulfil their duties.
Do I need to appoint a DPO?
The UK GDPR currently places a duty on an organisation to appoint a DPO if the organisation is a public authority or body, or if it carries out certain types of personal data processing activities. These activities involve:
- regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- large scale processing of special categories of data (such as health or biometric data) or data relating to criminal convictions and offences.
Benefits of having a DPO in your organisation
Even if you do not fall into one of the above categories, you may wish to voluntarily appoint a DPO to help ensure that your organisation adheres to best practices. If you do this, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory and so you do need to consider if this is right for your organisation. It may be that some other data protection role may be more appropriate in such circumstances. The benefits of appointing someone like a DPO include having someone bring expertise to your organisation and provide valuable insight into compliance, as well as having someone monitor your activities and promote a privacy-conscious culture.
In advising your organisation on how to carry out data protection impact assessments (DPIA), a DPO can also help you protect the organisation from being issued with fines for non-compliance from the ICO.
Future Reform
It’s important to be aware that The Data Protection and Digital Information Bill, currently making its way through parliament, removes the requirement to appoint a DPO and replaces it with a new requirement to appoint a ‘Senior Responsible Individual’ for data protection. This person is not independent and should be a part of an organisation’s senior management. The tasks are broadly similar to those carried out by the DPO though the circumstances in which they must be appointed are slightly different from the current position, namely public bodies or organisations that carry out processing likely to result in high risk to the rights and freedoms of individuals. Such organisations will need to start giving consideration to who they may appoint especially where they currently have an independent DPO who would not, therefore, meet the SRI criteria.
If you need help carrying out DPIAs, or need advice on any data protection matters, get in touch with our Data Protection team here.