All public sector bodies, all large-scale processors of sensitive information and all organisations that do systematic monitoring of large numbers of people are legally obliged to appoint a data protection officer. This is Article 37 of the GDPR.
That covers a lot of ground, and means that a significant minority of all organisations are required to have a DPO. Quite a few of those that we’ve encountered, however, don’t have one. Some are also pretty resistant to the idea, even though it’s the law. But this blog isn’t about the refuseniks – there’s a more worrying trend.
The point of a DPO is to be an independent voice holding your organisation to account and ensuring that it both complies with data protection regulations and is more generally a good steward of the personal data it controls and processes. That independence is the fundamental point of the DPO. The GDPR makes it absolutely clear (in Article 38) that the DPO must have no conflicts of interest.
In practice this means that your DPO can’t also be involved in decision-making about what data you process, or how, or why. They’re supposed to observe, advise and monitor, not execute. Otherwise they’d be marking their own homework.
So why do we keep finding organisations where the DPO is also a partner, an executive director, the CTO, the CIO, the head of IT or something of that nature? It’s absolutely clear from the GDPR itself, and from the Article 29 Working Party guidance on the role of the DPO, that you can’t combine an executive function with the DPO position.
This means that GP practices can’t appoint one of the partners as DPO. Nor can accountants or solicitors. Ad-tech and e-commerce businesses can’t choose their CTO or Technical Director. Schools can’t use the Head of IT, the Bursar or the Head of Pastoral Care. And so it goes on.
Given that the DPO must also have sufficient authority and resources to get the job done, is required to be a skilled professional with a continuous professional development programme, and must report directly to the top tier of management, you either hire someone specifically for the role, empower a mid-level employee from a department that doesn’t have direct involvement in data processing, or used an external service.
If you’d like to learn more about the role and requirements of the DPO, you can click here for our 10-minute guide to the topic. At the end of that document are references to the original source legislation and guidance.