Home Boost Business Lancashire logo

GDPR countdown: Jumping in at the DPO End?


As we continue the countdown to the introduction of GDPR, Chris Hunter of HM Network explores the need for a Data Protection Officer within an organisation.

Whether your organisation is required to appoint a Data Protection Officer (DPO) or not, you will still need to comply. Obviously you can recruit a DPO, but you may find there is currently somewhat of a shortage. Alternatively, you could outsource your DPO role to an external specialist or a law firm. You could also use someone from within your own organisation, but do they have the right skills to take on the position? There may be a steep learning curve ahead, to get up to speed. We are regularly hearing from people who have assumed the DPO role or have been put forward for it.

Many are apprehensive, some are unhappy and obviously quite worried about the size of the task ahead. While you can appoint someone in your existing organisation as your DPO, they should have the relevant mindset and experience needed for a job like this. Although it is not obligatory it is preferred and suggested that they possess the following skills:  knowledge of privacy impact assessments, risk assessments, IT and IS audits, an expert knowledge in data protection laws, significant experience in EU and global privacy laws which may include drafting of privacy policies and third party outsourcing agreements, experience in legal and technical training, experience in raising awareness... If you do use someone from your existing staff it cannot be a person from a role where it could be seen to have a conflict of interest. For instance they cannot be:

  • Chief Executive
  • Head of Marketing
  • Chief Financial Officer
  • Chief Operating Officer
  • Head of Human Resources
  • Head of Information Technology

It is unlikely whoever you do choose will know everything, and there may well be lead in time while they are getting up to speed with what is required. Do you take on a trained DPO from the outset? Do you outsource completely, or use one of your own people and transition them into the role with external help and support when they need it?

  • Where should your chosen DPO/Data Protection lead turn to for help and guidance?
  • Where do they get the tools to help them do their jobs?
  • Who can help them provide training options for staff?

This is where something like the GDPRexpress can help. We have assembled a variety of specialist partners and services that can help your business on it’s road to compliance. There is a saying “there is strength in numbers”.

Being able to call upon expertise from the group across a variety of specialisms is invaluable. We can help you assess, plan, train and put into practice your GDPR readiness programme. From audits, assessments, cyber security, staff training, policy and procedure writing plus provide data protection practitioner support and much more. Our mission to support local companies through the required changes and as part of that many of the services mentioned are free of charge or low cost. Back to the DPO role,  to help you get a better understanding of what is needed these words are taken directly from the ICO website

When does a Data Protection Officer need to be appointed under the GDPR?

“Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

What does the GDPR say about employer duties?

You must ensure that:

  • The DPO reports to the highest management level of your organisation – ie board level.
  • The DPO operates independently and is not dismissed or penalised for performing their task.
  • Adequate resources are provided to enable DPOs to meet their GDPR obligations.

Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO externally.

Does the data protection officer need specific qualifications?

The GDPR does not specify the precise credentials a data protection officer is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.” If you require any help, we are more than happy to connect you with support mechanisms to help you prepare and carry out the roles and responsibilities of the DPO. info+gdpr@hm-nework.com #GDPRexpress 03333 444 190


You may also like...

Meet the Boost team: Lateef Badat BOO_MTBT_LateefBadat
14th June 2024
Inspiration & Spotlight
Meet the Boost team: Lateef Badat
Boost Flying Start business adviser Lateef Badat, a seasoned business coach and mentor with a particular niche in the creative, digital and media sectors, talks about his role in supporting Lancashire businesses.
Building resilience: Thriving in a changing business landscape Building resilience thriving in a changing business landscape
11th June 2024
Inspiration & Spotlight
Building resilience: Thriving in a changing business landscape
In this helpful guide Boost business adviser Jaan Scott provides practical strategies, real-life examples, and actionable insights to help you build a resilient business capable of not just surviving, but flourishing, in today's ever-evolving business landscape.

Sign up to our newsletter

For insights and events to help your business thrive.

Please note if you do not agree to us sharing your information we will be unable to offer you full assistance under the scheme.
Funded by local govmt
Levelling Up
Department for Trade and Business
Northern Powerhouse
Lancashire County Council

The website uses cookies.

Some are used for statistical purposes and others are set up by third party services. By clicking 'Accept all & close', you accept the use of cookies. For more information on how we use and manage cookies, please read our Cookie Policy.