One of the most common questions we receive from SMEs on the subject of data privacy and GDPR is “do we need a Data Protection Officer?”.
There is no doubt that Data Protection Officers play an increasingly vital role in protecting UK businesses, so much so that demand for skilled staff to fill these roles has risen hugely over the past few years. Given the enormous fines levied on some organisations, it is easy to see why. Google was ordered to pay £43.2m in 2019, and British Airways were fined £20m in 2020 for breaches of data privacy law. It is not just big firms being impacted. A good number of fines in the region of £100,000 have been levied on SMEs.
In this article, we will explain whether your business is required to have a DPO and why hiring a Data Protection Officer can be a really good investment.
What are the roles and responsibilities of a Data Protection Officer (DPO)?
First, some background information. The UK’s Data Protection Act 2018, incorporated the General Data Protection Regulations (GDPR) rules that were agreed across the EU.
The current UK GDPR deals with how personal data, e.g. information held on clients and employees, should be used and managed in a way that is (i) fair, (ii) lawful, and (iii) transparent. The GDPR specifies the role of a DPO and whether one is necessary by law.
The role of the DPO is to handle all issues relating to the protection of personal data;
- explaining to those who control and process data within the organisation how to comply with the UK GDPR
- monitoring compliance with the UK GDPR
- providing advice on data protection impact assessments
- cooperating with the supervisory bodies, e.g. the Information Commissioner’s Office - ICO
- to act as a point of contact for the supervisory authorities
DPOs play a vital role in making sure that businesses remain compliant with data protection law at all times and avoiding any potential costly breaches.
Do you need to employ a Data Protection Officer (DPO)?
A business should appoint a DPO where:
- the processing is carried out by a public authority or body, except for courts;
- the core activities of the controller or the processor, consist of regular and systematic monitoring of data subjects on a large scale
- processing on a large scale of special categories of data and personal data relating to criminal convictions and offences
Many businesses remain confused as to whether they still fall into the mandatory requirement for a DPO.
To answer this, we need to clarify what is meant by ‘core activities’, ‘regular and systematic monitoring’, ‘large scale’ and ‘special categories of data’.
‘Core activities’ refers to the ‘primary activities’ of a business, not the activities that all businesses have to perform, such as payroll and storing information on clients. For example, a law firm processing information relating to a legal case would be considered a primary activity.
A business will be considered to be involved in ‘large scale’ data processing where they are handling extremely large volumes,e.g. whereas a hospital would come under this definition, a local GP surgery would not. A business is considered to be carrying out ‘regular and systematic monitoring’ if they are processing lots of data for tracking and profiling,e.g. an online retailer using data to make recommendations to prospective clients. And finally, ‘Special categories’ may include sensitive data, including information on health, race, political opinions, or identity.
It is also important to monitor the situation over time, as even if you may not need a DPO now, you may need one in the future. For example, if you expand your operation or start processing personal data on a larger scale. For this reason, we recommend scheduling a regular review to ensure you remain compliant with the law or speak with a data protection lawyer.
Are you still unsure if you need a DPO?
The UK GDPR as it stands is still rather unclear, leaving many businesses unsure if they fall within the mandatory requirement for a DPO. If you are in this position, speak to one of LawBite’s expert UK data protection Solicitors, who will clarify your position. By asking questions about the use of personal data within your business, we can confirm if a DPO is needed. In addition, we can explain how to go about appointing a DPO and the type of training they will need.
Think of a DPO as an investment in your organisation, not a cost. Even if a DPO is not strictly necessary for your SME, hiring a person into this role will ensure that you do not fall foul of the laws on data privacy, and hence you will mitigate the risk of serious penalties. Another reason is that by investing in DPO, you are sending a strong signal to prospective clients and investors that you take the protection of data extremely seriously. This, in turn, will offer them significant reassurance that your SME is adhering to data privacy best practices at all times.
Here is a checklist to ensure you are compliant:
- review your business’s existing use of data - i.e. who are the ‘data controllers’ (those who determine if and why data needs to be processed) and a ‘data processors’ (those who process data on behalf of the controller) within your business, what data you hold, and how data is processed?
- assess whether a DPO is mandatory for your organisation - speak to a specialist in data protection law if you are unsure.
- appoint a DPO and ensure they receive the training, time, resources, and support they need to perform their role.
You can get legal assistance from LawBite
Still confused? LawBite has expert data protection lawyers who will be able to help you. They can advice you on the data protection rules you must follow and whether your business needs a data protection officer or not.
Book a free 15-minute consultation with one of our expert data protection and GDPR lawyers or visit our GDPR compliance and training packages page to find out more.
