In order for our site to work, small files called ‘cookies’ have been placed on your device. These mandatory cookies do not process any personal data.
We would also like to use analytics cookies to understand how our site is used by visitors and then use this information to improve our site and the experience of using our site. The service we use is Google Analytics.
Please indicate whether or not you are happy to allow the use of these analytics cookies by selecting one of the options below. You can read more about our cookies before you choose and read our Privacy Notice to find out more information on how we use your personal data
Under the Law, you must appoint a DPO if you:
Core activity can be considered to be key operations necessary to achieve the controller’s or processor’s goals. This includes where the processing of personal data forms a vital part of the delivery of that core activity. For example, the core activity of a GPs’ practice is to provide healthcare and that cannot be achieved effectively without the use of patients’ health records. Therefore, by Law, a GPs' practice would need to designate a DPO.
A controller or processor may choose to voluntarily appoint a DPO if the above conditions do not apply.
Regardless of whether the Law obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the Law.
The DPO role can be assigned to:
However the role is fulfilled, the DPO must not undertake any other duties that conflict with their DPO duties.
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. In such cases the DPO must be easily accessible from each entity within that group and must be able to allocate an appropriate and proportionate amount of their time to each entity.
The DPO’s minimum tasks are defined in sections 50 and 51 of the Law:
You must ensure that:
The Law does not specify the precise credentials a DPO is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be relevant and proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.
The European Data Protection Board have published its own guidance on data protection officers that you may find useful. It includes guidance on what will be deemed a conflict of interests in relation to the DPO’s duties.