A guide to appointing a data protection officer

A data protection officer (DPO) provides advice on data protection obligations, implements and monitors data protection and privacy policies, and responds to internal and external complaints.

 

In this article, we explore the role of the DPO in detail, looking specifically at the definition of tasks and responsibilities under the UK General Data Protection Regulations (GDPR). We examine whether your charity requires a DPO, the skills needed to become an effective DPO, the best way to decide on your DPO, and so much more. So, without further ado, let’s start with UK GDPR.

 

The need to appoint a DPO at your charity

 

Article 37 of UK GDPR clearly specifies that three conditions dictate whether a DPO must be designated. Organisations must appoint a DPO under the following circumstances:

• A public authority or body carries out the act of data processing
• Core activities of the people who control or process data involves regular and systematic monitoring of individuals on a large scale
• Core activities of the people who control or process the data involves the use, on a large scale, of special categories of data or personal data relating to criminal convictions

The last condition, revolving around special categories of data, is not a new concept and is subject to extra safeguards. Special categories can be found in Article 9 of UK GDPR. These include personal data revealing race, ethnicity, sexual orientation, health, and so on.

 

According to the above GDPR specifications, some charities may not need a DPO, particularly smaller organisations that process personal data only to establish or maintain membership. But it can be beneficial to onboard a DPO for small charities. DPOs serve to protect reputation, allow you to avoid fines, provide peace of mind, and generally keep data cleaner and safer.

 

A board of trustees is typically responsible for appointing a DPO. If you currently have no DPO, consult your trustees and consider the best person in your organisation for the role.

 

 

The main responsibilities of a DPO

 

A DPO has various tasks, some of which are mandatory. Article 39 of UK GDPR defines the minimum tasks that are legally required of the DPO. These include:

• Informing and advising the controller, employees, and other associated processers about obligations to comply with UK GDPR and other relevant data protection laws
• Monitor compliance with data protection laws, including managing internal data protection activities, advise on data impact assessments, train staff, and conduct internal audits
• Be the first point of contact for the Information Commissioner and for any individuals whose data has been processed

But a DPO can go above the minimum. They could conduct regular training with the team on a monthly basis, or perhaps more frequently, and ensure that all new staff have the full training.

 

 

Picking the right DPO for your charity

 

Charities need to find the best person to be a DPO. Your DPO can be an existing employee, as long as the employee is compatible with the duties of the DPO and does not lead to any conflicts of interest. But equally, as we’ll discuss below, you can hire for the role of DPO – which is most applicable to very large charities with bigger budgets and more data to handle– or outsource the role to a third-party.

 

Article 39 of UK GDPR says a DPO should be designated based on professional qualities and expert knowledge of data protection laws. Article 29 Working Party (WP29) published helpful guidance on DPOs, which suggests that DPOs should have the following skills and experience:

• Expertise in data protection laws and a substantial understanding of UK GDPR
• A specific understanding of IT, data security, and processing operations
• Knowledge of the charity sector and an in-depth knowledge of the charity
• The ability to promote data protection in the charity and the wider network
• On top of the above skills, legal skills in general would be helpful. Legal skills are often transferrable, particularly around interpreting legislation. Project management and communication skills may prove useful, too, as the DPO may need to manage compliance projects, work with and train staff on a frequent basis, and consult with regulatory authorities.

Ideally, DPOs should have a broad view of the charity. That will allow them to work effectively across departments, traverse silos, and co-ordinate data protection at an organisational level.

 

 

Other options for choosing a DPO

 

Some organisations choose to outsource a DPO. Some third parties offer monthly or yearly DPO subscription services, which offer charities the support required under UK GDPR. The benefits here are obvious: you’ll add no extra duties to current staff and the third party will already be experts in data protection and privacy. But an outsourced DPO can prove costly and charities should be conscious of sharing data with third parties, as this can create new problems.

 

Another option is to share a DPO across several organisations. The Information Commissioner’s Office (ICO) says charities can appoint a single DPO to act for a group of charities. If you share a DPO, charities must ensure the DPO can perform their tasks effectively, taking into account the structure and size of organisations.The ICO also says you should consider if one DPO can realistically cover a large or complex collection of organisations. You need to ensure they have the necessary resources to carry out their role and be supported with a team, if this is appropriate.

 

And, finally, a shared DPO must be easily accessible, so their contact details should be readily available to your employees, to the ICO, and people whose personal data you process.

 

 

Steps to take after you’ve picked a DPO

 

Once you’ve picked your DPO, remember that you need to publish contact details of your DPO and provide the right information to the ICO. Publishing the information allows individuals, employees, stakeholders, and the ICO to contact the DPO as necessary.

 

Charities are also required to provide a DPO’s contact details when consulting the ICO under Article 36 of UK GDPR and when providing privacy information to individuals under Article 13 and Article 14 of UK GDPR.