SK logo
January 25, 2018

FAQs: employing a Data Protection Officer

FAQs: employing a Data Protection Officer

Date updated:

As you may be aware, the General Data Protection Regulation (“GDPR”) will apply from 25 May 2018. It includes the requirement for certain organisations to designate a data protection officer (“DPO”). Charities are increasingly asking questions about the DPO role and whether they need to appoint one. We have answered some FAQs below.

1. What is a DPO?

A DPO facilitates an organisation’s compliance with data protection rules.

2. Which organisations need a DPO?

The GDPR sets out which organisations must have a DPO. It is those which:

  • Are a public authority;
  • Carry out large scale regular and systematic monitoring of individuals (e.g. online behaviour tracking); or
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The GDPR does not define what constitutes a public authority, so what constitutes a ‘public authority’ in the UK will be defined by the Data Protection Act 2018.

If these three scenarios do not apply to your charity, you are not required to appoint a DPO but it is important that you designate someone within your charity to take responsibility for compliance with data protection legislation. Given the strict requirements applicable to the appointment of a DPO under GDPR, if you are not required to have one, it would be appropriate to avoid using the job title ‘Data Protection Officer’ in these circumstances.

3. What does a DPO do?

The GDPR sets out the DPO’s key tasks, which includes informing and advising the organisation about its obligations; monitoring compliance with data protection law; liaising with the ICO; and being involved in all issues relating to the protection of personal data.

4. Who can be a DPO?

A DPO can be anyone with the right qualifications, and you can use an existing employee, but the charity must ensure that any other tasks and duties do not result in a conflict of interest with his/her DPO role.

Senior management positions may be conflicted (such as a chief executive, chief operating officer, chief financial officer, head of marketing department, head of HR or head of IT) but also other roles lower down in the organisational structure if those individuals have a role in making decisions about what happens to personal data as part of that role.

For charities, we would suggest that a trustee is not a suitable person to be a DPO because he/she is likely to be involved in determining the ‘purposes and means of processing’ as, for example, the trustee board may be involved in the preparation and implementation of the data protection policy.

5. How to choose a DPO

The DPO should be chosen on the basis of professional qualities and, in particular, expert knowledge of data protection law and the ability to fulfil the DPO’s prescribed tasks (as outlined above). DPOs must have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.

A group of undertakings can designate a single DPO provided that he or she is easily accessible from each establishment. The availability of a DPO, whether physically on the same premises as employees, via a hotline or other secure means of communication, is essential.

6. How to manage a DPO

The GDPR sets out conditions for the DPO’s appointment and position.   The DPO should not receive any instructions regarding the exercise of his/her tasks. For example, the DPO should not be told to take a certain view on an issue, how to investigate a complaint or whether to consult the ICO.

The DPO should report to the highest management level of the charity. Therefore, the DPO should be invited to participate regularly in meetings of senior and middle management, as well as attending trustee meetings where appropriate.

The opinion of the DPO must always be given due weight. If the charity does not follow a DPO’s advice, he or she should be given the opportunity to make his/her dissenting opinion clear to the highest management level and to those making the decisions.

7. Can I discipline or dismiss a DPO?

The DPO must not be dismissed or penalised for performing his/her duties as a DPO. For example, the DPO cannot be dismissed for providing data protection advice which the charity does not agree with.  ‘Penalising’ a DPO may include an absence or delay of promotion; prevention from career advancement; or denial from benefits that other employees receive. Even a mere threat of these penalties would be a breach.

However, a DPO can still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, due to theft, physical, psychological or sexual harassment, or similar gross misconduct).

8. Can I outsource the DPO role?

A DPO can be an external service provider. This arrangement would be through a service contract. If a DPO outside of the charity is used, the same protections apply. For example, there must not be an unfair termination of the service contract for activities as DPO.  Therefore, although charities can appoint an external person or buy into a service, these organisations will be in high demand. It is also important to mindful and wary of the quality of the person appointed.