First published on Thursday, Aug 13, 2020
Last updated on Friday, Jan 26, 2018
If you’ve been reading up on the General Data Protection Regulation (GDPR), then it’s likely that you’ve come across the term Data Protection Officer (DPO). It’s one of the many names—like data controller and data processor—that you’ve probably never heard of before.
But there’s a reason why you should pay attention to it. Certain companies will need to appoint a DPO to avoid a hefty fine from the Information Commissioner’s Office (ICO).
Don’t worry though, we’re going to explain what a DPO does and whether your company needs one —so you can tick one thing off your GDPR ‘to-do list’.
What does a DPO do?
Under GDPR, a DPO will:
- Educate your staff on why GDPR is important and give advice on how to comply with the law.
- Make sure your company is complying with GDPR. This includes managing data protection activities, training staff and conducting data audits.
- Be the first point of contact for anyone who has their data processed by your company.
You can appoint a DPO that’s already an existing employee of yours. But there must be no conflict of interest between their current role and the duties they’ll undertake as a DPO. Alternatively, you can hire someone to carry out the role or contract it out externally.
GDPR doesn’t specify that a DPO needs any special qualifications to take on the role. But it does say that they should have professional experience and knowledge of data protection law.
Do I need a DPO for my business?
There has been some confusion around whether all companies need to appoint a DPO, especially when it comes to small businesses.
The ICO says that you must appoint a DPO if you:
- Are a public authority (excluding certain courts).
- Monitor individuals on a large scale (e.g. through online behaviour tracking).
- Process special categories of data on a large scale or data that relates to criminal convictions and offences.
If these factors do not apply to your business, then you don’t have to appoint a DPO. But there’s nothing to stop you from taking on a DPO, if you think it’ll be beneficial for your company and you can afford to.
Don’t think you need to appoint a DPO? The ICO recommend that you make sure your organisation has enough skilled members of staff to comply with the terms of GDPR.
Does a DPO need any specific tools?
The ICO doesn’t suggest that a DPO needs any specific tools to carry out their role. But finding the right HR software will help to make their life a little easier.
With BrightHR, you can keep all of your staff documents in one place and create a paper trail. This will help you to find certain documents much easier, which will come in handy when your DPO needs to carry out an internal audit.
Not only that, but if your employees want to update or delete their personal details, they can do this themselves.
Want to know more? Request your free demo today to see how BrightHR will transform your document storage.