Search

How can we help?

Icon

The role of Data Protection Officers in ensuring compliance

How many of us receive marketing calls for products and services we did not sign up for? Or emails to our junk folder (sometimes, even making it to our inbox), with advertisements we do not want? Our personal data, such as our email addresses and mobile numbers, is a highly valuable asset, so much so that it can be sold to third parties, hence all of the unwanted contact.

In an era where personal data is this valuable, safeguarding individual privacy has taken centre stage in the legal landscape. The introduction of comprehensive data protection regulations, such as the UK General Data Protection Regulations (UK GDPR), has prompted organisations to adopt robust mechanisms to ensure compliance. A key player in this compliance system currently is the Data Protection Officer (DPO). This article delves into the role DPOs currently play in navigating the complex terrain of data protection laws and how this role will change in the future with the new Data Protection and Digital Information Bill.

What is the role of a DPO?

A DPO is a designated individual within an organisation who is responsible for overseeing and ensuring compliance with data protection laws and regulations. The role is multifaceted, often encompassing tasks related to acting as a liaison between the organisation and authorities, such as the Information Commissioner’s Office (ICO).

The primary role of a DPO is to ensure that an organisation processes the personal data of its staff, customers, and any individual it processes personal data on, in a way that is compliant with data protection laws. This will include making sure the organisation’s staff are trained on all relevant obligations in the UK GDPR and the Data Protection Act 2018.

A DPO will continuously monitor an organisation’s activities to ensure these align with data protection laws. This may involve carrying out regular audits, risk assessments and compliance checks.

An important point to keep in mind is that a DPO must be independent and should report to the highest management level in an organisation. This is set to change in the future as detailed below. The organisation should not direct the DPO on how to fulfil their duties.

Do I need to appoint a DPO?

The UK GDPR currently places a duty on an organisation to appoint a DPO if the organisation is a public authority or body, or if it carries out certain types of personal data processing activities. These activities involve:

  • regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • large scale processing of special categories of data (such as health or biometric data) or data relating to criminal convictions and offences.
Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

A DPO is a designated individual within an organisation who is responsible for overseeing and ensuring compliance with data protection laws and regulations.

Benefits of having a DPO in your organisation

Even if you do not fall into one of the above categories, you may wish to voluntarily appoint a DPO to help ensure that your organisation adheres to best practices. If you do this, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory and so you do need to consider if this is right for your organisation. It may be that some other data protection role may be more appropriate in such circumstances. The benefits of appointing someone like a DPO include having someone bring expertise to your organisation and provide valuable insight into compliance, as well as having someone monitor your activities and promote a privacy-conscious culture.

In advising your organisation on how to carry out data protection impact assessments (DPIA), a DPO can also help you protect the organisation from being issued with fines for non-compliance from the ICO.

Future Reform

It’s important to be aware that The Data Protection and Digital Information Bill, currently making its way through parliament, removes the requirement to appoint a DPO and replaces it with a new requirement to appoint a ‘Senior Responsible Individual’ for data protection. This person is not independent and should be a part of an organisation’s senior management. The tasks are broadly similar to those carried out by the DPO though the circumstances in which they must be appointed are slightly different from the current position, namely public bodies or organisations that carry out processing likely to result in high risk to the rights and freedoms of individuals.  Such organisations will need to start giving consideration to who they may appoint especially where they currently have an independent DPO who would not, therefore, meet the SRI criteria.

If you need help carrying out DPIAs, or need advice on any data protection matters, get in touch with our Data Protection Lawyers.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Jacob Montague

Senior Solicitor

View profile

+44 118 960 4613

About this article

Read, listen and watch our latest insights

art
  • 02 December 2024
  • Litigation and dispute resolution

The Era of AI

In this recent case, the First-Tier Tribunal gave a stark warning to litigants about use of AI in litigation.

Pub
  • 26 November 2024
  • Privacy and Data Protection

Key FAQs on Data Subject Access Requests (DSARs)

Understanding Data Subject Access Requests (DSARs) is crucial for businesses. In this podcast, Lucy Densham Brown and Jacob Montague, members of the Data Protection team, have narrowed down the top frequently asked questions we receive regarding DSARs.

art
  • 18 November 2024
  • Privacy and Data Protection

FAQs – Privacy Documentation

Clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.

art
  • 04 November 2024
  • Privacy and Data Protection

FAQs – Data Subject Access Requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject.

art
  • 29 October 2024
  • Privacy and Data Protection

The ICO’s 2024-2025 priorities for protecting children’s personal information online

The Information Commissioner Officer (the “ICO”) has set out its 2024-2025 priorities for protecting children’s personal information online.

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.