Many larger organisations currently have a Data Protection Officer (‘DPO’). However, GDPR makes the appointment of a person to this important role a must in certain circumstances. GDPR also sets out the responsibilities of this person.

You must appoint a DPO if you are a controller or processor of personal data and:

(a) you are a public authority, or,

(b) your core activities consist of processing requiring regular and systematic monitoring [such as CCTV or profiling] of people on a large scale, or,

(c) your core activities consist of processing on a large scale of special (health etc.) data.

Your DPO must have “professional” qualities and be an expert in both data protection law and practice. They must also have the ability to perform certain tasks such as:-


(a) to tell you and advise you as to your obligations under both GDPR and any other UK or European data protection laws;
(b) to monitor your compliance with the above laws, your own policies, to raise awareness amongst staff, train them and carry out audits;
(c) to advise you in relation to any data protection impact assessment, and,
(d) to cooperate with the Information Commissioner and be your organisational contact point on data protection matters

As a recognition of the importance of this role, the DPO cannot be told how to do their job. They cannot be dismissed or penalised for doing their job. They must be allowed to report directly to the highest management level.

We can undertake this key and important role for you on the basis of a service contract.

For further information please contact us.

If you require advice on the above please contact us


Contact us