Data Protection Officers: do you need one?

With the EU Data Protection Regulation coming into force in less than a year, many organisations have started to put some measures into place so that they’ll be compliant come 25th of May next year. One question that still seems to baffle many is whether they’ll need to hire a Data Protection Officer.

The International Association of Privacy Professionals predicts with the new regulation, demand for Data Protection Officers will rise significantly. They estimate it will create approximately 75.000 new DPO positions worldwide. That’s a lot of positions to be filled, but that leads to the question: who exactly will need a DPO?

The Fine Print

Contrary to what you may have read, not every organisation will be required to hire a Data Protection Officer. The European Union’s Guidelines on Data Protection Officers states the following:

“it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.” 

In summary, any company which qualifies as a public authority or core business is data processing and inextricably linked to data processing must assign a DPO.

However, the guideline doesn’t specify what constitutes a public authority. The reason for that is the law on public authorities varies from country to country.  It is therefore responsibility of the individual organisation to understand the law of their native country and if appropriate appoint a Data Protection Officer. If an organisation does not immediately fall under these rules, it is up to the company’s controllers and processors to evaluate whether a DPO is required for the organisation.

The Right Person for the Job

When it comes to finding the right DPO, there are a few things to keep in mind. For example, it’s necessary for the candidate to have a good understanding of the legal framework and the data protection regulation, but they don’t actually need to be a lawyer by trade or education. You can hire someone within the organisation, but as there can be no conflict of interests, you might be better off with hiring someone new or employing an external consultant.

Lastly, it’s important to keep in mind that hiring a Data Protection Officer is not enough to get you off the hook, so to speak. A DPO is s first and foremost a controller and advisor, not the implementer of your data protection; your company will still be responsible for carrying out a range of practices to ensure compliance with the new regulation.

By Harshini Carey, Regional UK Director, KMD Neupart UK


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.