Under GDPR, all public authorities must appoint Data Protection Officers (DPOs) and all private organisations must appoint DPOs if they either undertake large-scale and systematic monitoring of data subjects or undertake extensive processing of sensitive data.
All private organisations means exactly that. Even if you are a one-person business, if you meet either of these criteria you have to appoint a DPO. Far from having an exemption for SMEs, the GDPR framework allows national governments to implement more stringent criteria, for example in Germany all businesses with at least 10 employees who permanently process personal data must appoint a DPO.
Even if you don’t, technically, need a DPO according to the letter of GDPR, it could still be worthwhile to appoint one, since it seems reasonable to assume that issues relating to the collection, storage and/or processing of personal data are only going to become more prominent as time goes by.
If you do go down this route, then your chosen DPO still needs to fulfil the requirements of the role as laid down in GDPR.
The role of the DPO under GDPR
Under GDPR, the DPO has five key areas of responsibility:
- Keep the organisation informed (and updated) of their responsibilities under GDPR
- Monitor compliance with GDPR and any other relevant legislation and/or internal policies
- Provide appropriate and timely advice on data protection impact assessments (DPIAs)
- Liaise with relevant authorities, internal and external, as necessary
- Be available to data subjects for queries and subject access requests.
Practicalities of appointing a DPO
Knowledge and skills
The GDPR does not lay down any hard-and-fast rules regarding what qualifications and/or experience a DPO must possess. It does, however, underline that any DPO must have a solid understanding of: the principles and practice of data processing; the relevant laws relating to data protection and the organisation on behalf of which they are acting.
SMEs, in particular, may struggle to find internal people with the relevant skills, or even to find people who could be trained to undertake the role either as a full-time job or in addition to their other responsibilities. This second option is made even more different by the requirement that organisations ensure that their DPO is able to operate with complete independence and without any conflict of interest between their role as DPO and any other responsibilities they may have within the organisation.
Fortunately, GDPR allows organisations to appoint external parties as DPOs (this is also known as DPO as a service). This ensures that SMEs can get the expertise they need to the extent they require it.
They will, however, need to take the time to familiarise their external DPO with the processes, procedures and systems within their organisation.
Understanding the reality of liability
To be absolutely clear, the DPO’s role is essentially to give the management of an organisation the guidance it needs to keep its organisation on the right side of data protection legislation.
The DPO will usually also give them practical assistance to do this, for example by undertaking relevant employee training and acting as a point of contact for both regulatory authorities and data subjects.
In terms of GDPR, liability for data-security breaches lie with the organisation’s management rather than the DPO, although SMEs that use DPO as a service may be expected to have a contract in place that ensures at least some level of mutual liability.