Nov 29

Data Protection Officer

DPOrganizer’s GDPR Requirements Series

17# Data Protection Officer

Moving on from last Tuesday’s post about DPIA’s, today we’re going to focus on another way to build accountability and governance into your organisation and enhance your privacy program. I’m referring to the requirement to under certain circumstances appoint a Data Protection Officer (DPO) to assist you with monitoring your internal compliance with the GDPR. Both controllers and processors can be obliged to appoint a DPO.

There are three situations in which you should appoint one:

  1. If your processing is carried out by a public authority or body (except for courts acting in their judicial capacity)
  2. Your core activities consist of processing operations which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale
  3. Your core activities consist of processing on a large scale of special categories of data or criminal data

Let’s elaborate on these situations and the criteria a bit further, as it can be a bit tricky to interpret them. By ‘core activities’ the GDPR means key operations necessary to achieve your goals –your organisation’s key objectives. Secondary objectives like HR or payroll management are examples of things that more often than not aren’t core activities. To determine if your processing activities are ‘large scale’ you could assess aspects such as the number of data subjects concerned, the volume of data or the range of different data items processed as well as the duration or geographic extent of the processing. Processing could be ‘regular’ if it’s ongoing or occurring at particular intervals for a particular period, recurring or repeated at fixed times, or constantly or periodically taking place. It could be ‘systematic’ if it’s occurring according to a system, pre-arranged, organised or methodical, taking place as part of a general plan for data collection, or carried out as a part of a strategy.

So, you now know when you should appoint a DPO –but what do they actually do? The DPO’s responsibilities are to in an independent and unbiased way monitor compliance with the GDPR, inform and advise the organisation as well as cooperate and act as a contact point for the supervising authority. The DPO should have expert knowledge in data protection law and practices. You should involve the DPO, properly and promptly, in all issues relating to the protection of personal data. The DPO’s independence could be guaranteed by, among other things:

  • You don’t give the DPO any instructions regarding the exercise of their tasks
  • There is no dismissal or penalty for the performance of their tasks
  • There is no conflict of interest with other tasks and duties, including that the DPO should not hold a position that necessitates them to determine the purpose and means of processing

What if you consider this information and decide to not appoint a DPO? If you choose to not appoint a DPO on the mandatory rules or voluntarily, it’s recommended to document the process leading up to your decision. You should demonstrate that you have looked at the relevant factors and concluded that your privacy program doesn’t need a DPO as a resource.

If you would like more detailed information about the DPO’s role, responsibilities and when to appoint one, please see the WP29 Guidelines and the ICO Guidelines.

I hope you find this post useful when you’re evaluating whether or not to appoint a DPO. Feel free to contact our Professional Services team at DPOrganizer or the privacy community Watercooler if you have further questions on the matter. Next week, Albin ( will explain the concept of data protection by design and by default, also referred to as DPbDD. Have a nice week!

See more related posts »

Related blog posts

Learn together with +8000 privacy pros

Grow and improve with our best tips and tricks. No spam, ever.

  • Hidden