Must I really appoint a Data Protection Officer?

Updated: May 2, 2018

"We keep hearing that a DPO role within our organisation is mandatory. Is this true?"

Despite what you may have heard, appointing a Data Protection Officer (DPO) for your organisation is not necessarily mandatory.

Should Alan the Plumber or John the part-time Consultant hire or act as DPO for their small businesses? This is likely to be impractical, and although the GDPR applies to all UK businesses it is not designed to make life purposely difficult!

So, if you are a small company processing small amounts of data, it's likely you have no need for a DPO. Article 37 of the GDPR makes it quite clear when you must have a DPO:

  • Your organisation is a public body;

  • Your organisation monitors individuals on a large scale;

  • Your core activities include large scale processing of 'special' categories of personal data i.e. information about race, health, political affiliations, sexual orientation, sex life etc...), or;

  • Criminal data...

Of course, 'large-scale' and 'core-activities' are open to an element of interpretation. However if you fail to appoint a DPO when it's mandatory, your business could be fined up-to 2% of global annual turnover or €10 million! If you don't believe you need an DPO you must make sure you have a cast-iron and formally documented justification for your decision.

Can I appoint a DPO anyway?

Of course! However if you are not required to appoint a DPO you should be cautious of how you do this. The job title of Data Protection Officer will require the person filling this role to abide by all the rules set out in the GDPR, this includes all those within Article 37 and could place you or your business in an uncomfortable bind.

Alternatively, you could associate the responsibility for GDPR compliance to an employee but call them something different, such as the Data Privacy Adviser.

This may be the ideal way to progress for many small to medium sized businesses. Assigning a Data Privacy Adviser when a DPO isn't mandatory may help avoid some of the more complex elements of the GDPR; however having someone dedicated to the role will help ensure your business keeps on the right side of the law, also helping with the due diligence processes your business may have to go through to win those all important client contracts.

And for those who don't have the resources or employee expertise to manage your DPO or Privacy Adviser activities, PECOMi Consulting are able to provide this as part of their suite of GDPR solutions.

Recent Posts

See All