Data Protection Officers (DPO) Guide Responsibilities & Best Practices

What does a data protection officer do?

A Data Protection Officer’s (DPO) role is varied, encompassing many day-to-day tasks that ensure robust data protection strategies are in place and aligned with relevant regulations. Key responsibilities include:

• Handling data breaches: Informing data subjects and the ICO (in the UK) promptly in the event of a breach.
• Providing training: Educating employees on data protection best practices and regulatory requirements.
• Advising on Data Protection Impact Assessments (DPIAs): Offering guidance on conducting DPIAs and monitoring their progress.
• Reviewing policies and procedures: Ensuring internal policies are up-to-date and compliant with the latest data protection laws.
• Acting as the main contact point for regulatory authorities: Facilitating communication and cooperation with bodies like the ICO.
• Liaising with data subjects: Addressing subject access requests and ensuring individuals’ rights are upheld.

Recent developments:

The DPO’s responsibilities have expanded significantly in recent years to address the challenges posed by emerging technologies and regulatory scrutiny. For instance:

AI and Advanced Data Analytics: DPOs are increasingly involved in overseeing compliance with AI technologies, ensuring that organisations applying aspects such as Data Protection by Design to these new and exciting technologies.

Regulatory Focus: In 2023, the European Data Protection Board (EDPB) launched enforcement actions to assess the designation, independence, and role of DPOs in various organisations, reinforcing the importance of this role in modern data protection frameworks.

It’s important to note that, while a DPO provides advice and guidance on GDPR compliance, the ultimate responsibility for compliance lies with the data controller or data processor. These entities remain liable in the case of non-compliance, not the DPO.

Does my company legally need a DPO?

Since the introduction of GDPR, certain companies are legally required to appoint a Data Protection Officer (DPO). Your business must have a DPO if:

1. You are a public authority or body

   Public authorities and bodies are legally required to appoint a DPO. Examples include schools, hospitals, local governments, and other publicly owned organisations.

2. Your core activities involve large-scale, regular, and systematic monitoring of individuals

   This includes activities such as tracking and profiling individuals. For example:

   • Using CCTV for surveillance.
   • Retailers monitoring customer searches to deliver targeted advertisements.

3. Your core activities involve the large-scale processing of special category data

   Businesses processing special category data must appoint a DPO. Special category data includes:

   • Genetic data
   • Trade union membership
   • Health information
   • Sexual orientation
   • Race or ethnicity
   • Political opinions
   • Identifiable biometric data

If you don’t meet these criteria

Even if your business doesn’t fall under the above categories, you are still responsible for managing and protecting public data. Appointing a DPO is strongly recommended, as it ensures you remain compliant with data protection laws and better prepared to handle any data-related enquiries or breaches.

What rights do data subjects have?

GDPR significantly expanded the rights of data subjects, granting them greater control over their personal data and leading to an increase in the number of requests a DPO might receive. Under GDPR, individuals in the EU have the following rights:

The right to be informed

Data subjects are entitled to specific information about your data processing activities, including:

• How their data is processed.
• How long it will be retained.
• Their rights under GDPR.
• The right to lodge a complaint with a supervisory authority.

This information should be outlined in a clear, well-written privacy notice.

The right of access

Data subjects can request confirmation of whether their data is being processed and, if so, obtain a copy. Companies must:

• Provide the data within 30 days of receiving the request.
• Deliver the information in a clear and easily accessible format.
• Fulfil the request free of charge, unless it is excessive or repetitive.

The right of rectification

If a data subject’s information is incorrect or incomplete, they have the right to request corrections or updates.

The right to erasure (right to be forgotten)

Data subjects can request their personal data be erased from all platforms if:

• The data was processed unlawfully.
• The data is no longer needed and there is no legal purpose for retaining it.
• Consent to processing has been withdrawn (assuming consent was the legal basis).
• They object to processing and there are no overriding legitimate grounds.

The right to restrict processing

Data subjects can request that their data is no longer processed if:

• The data is inaccurate.
• The data is no longer needed but must be retained for legal purposes.
• They have requested data erasure, and the request is being processed.

While processing must cease, the data can still be stored during this time.

The right not to be evaluated based on automated processing

GDPR allows users to object to decisions made solely through automated processing if these decisions have a significant impact (e.g., job applications, credit approval).

The right to object

Data subjects can object to the processing of their data at any time if:

• There is no legitimate need for processing.
• Processing is based on consent, and they have withdrawn that consent.

The right to complain

Data subjects have the right to file complaints about how their data is processed. Organisations must ensure:

• Data subjects are informed of their right to complain.
• Clear instructions are provided on how to lodge complaints, including contact information for the relevant regulatory authority.

Who can be a Data Protection Officer?

The role of a Data Protection Officer (DPO) can be filled by someone already working within your organisation. However, their responsibilities must be dedicated exclusively to data protection, with no conflicting duties. For example, a member of the marketing team cannot also act as the DPO, as their role involves decisions about how personal data is used, which would create a conflict of interest. Alternatively, you can appoint a dedicated, full-time DPO to focus solely on this responsibility.

Can a CISO act as the DPO?

While a CISO’s skills may complement the DPO role, they cannot act as the DPO due to a conflict of interest. The DPO must operate independently and report directly to the highest authority (e.g., the board or CEO), whereas CISOs typically report to CIOs or CFOs and set the organisation's security policy.

A CISO acting as a DPO would result in self-monitoring, which undermines impartiality. However, a CISO can support the DPO by providing insights and expertise.

Can I appoint more than one DPO?

No, you can only appoint one DP as the single point of contact for data subjects and regulatory authorities. However, additional data protection staff can support the DPO if necessary.

What qualifications should a DPO have?

There are no formal qualifications required for a DPO, but they should have:

• Expert knowledge of data protection law, particularly GDPR.
• Familiarity with the organisation’s industry or sector.
• A strong understanding of information security.

Certified DPO training courses can help candidates better understand the role and its responsibilities.

What are the risks of not having a DPO?

Even if you are not legally required to appoint a DPO, you must still designate someone responsible for personal data under GDPR. Failure to do so can lead to:

• Missed deadlines for handling data subject requests.
• Poor communication with regulatory authorities during a breach.
• Severe legal and financial consequences for non-compliance.

Properly appointing a DPO or responsible individual ensures data protection is managed effectively and mitigates potential risks.

Benefits of outsourcing DPO services

Outsourcing the role of a Data Protection Officer (DPO) has become a popular choice for many organisations since the introduction of GDPR. It offers numerous advantages, making it an ideal solution for businesses of all sizes:

• Cost-Effectiveness: Outsourcing is often a more affordable alternative to hiring a full-time, in-house DPO. Many businesses only require a DPO’s expertise for a few hours each month, allowing them to pay for the exact level of service they need.
• Independence and Objectivity: An outsourced DPO is completely independent of your business operations, eliminating any risk of conflicts of interest. This ensures impartial advice and a fresh perspective on your compliance strategies.
• Expertise and Experience: Outsourced DPOs, like those at Bulletproof, are highly trained professionals with in-depth knowledge of GDPR and data protection laws. Having worked with a variety of organisations across multiple industries, they bring a wealth of experience, including handling data breaches and preparing regulatory reports.
• Tailored Solutions: When you outsource, you have the flexibility to customise the level of service to suit your specific needs, whether it’s occasional consultation or ongoing support.

With Bulletproof’s outsourced DPO services, you gain access to a dedicated team of experts who can guide your organisation through the complexities of GDPR compliance. From advising on policies to managing data breaches, our DPOs ensure your business is always prepared and protected.

What does a data protection officer cost?

Cost of an in-house data protection officer

The average yearly salary for a dedicated in-house Data Protection Officer (DPO) is on average £49,000 depending on location. However, this figure does not include additional costs, such as:

• Benefits and allowances: Paid holidays, pensions, and other perks.
• Absence management: Coverage for holidays, sick leave, or unexpected absences.
• Recruitment costs: Advertising, interviewing, and onboarding new hires, which can add significant upfront expenses.

For larger organisations with extensive data protection requirements, an in-house DPO may be a practical choice, but these costs should be weighed against other options.

Cost of outsourcing the data protection role

Outsourcing the DPO role is often a cost-effective solution, particularly for SMEs that may not need a full-time DPO. With outsourcing, you only pay for the time and expertise required, allowing for greater flexibility.

Approximate costs for outsourcing:

• Small businesses (<20 employees): Typically require around 1 day per month. Costs start from £1000 per month, with virtual delivery and quarterly on-site visits.
• Medium businesses (21-200 employees): Typically require 1-2 days per month. Costs start from £1,000 - £2,000 per month, with on-site delivery recommended.
• Enterprise businesses: Require bespoke packages based on complexity, size, and data handling needs. Costs vary significantly but are tailored to the organisation's specific requirements.

Additional benefits of outsourcing:

• Access to a highly qualified and experienced DPO without the full-time salary.
• A scalable solution that adapts to your changing business needs.
• Independence and objectivity, reducing the risk of conflicts of interest.

Does a data protection officer secure personal data?

While a Data Protection Officer (DPO) plays a key role in ensuring that personal data is kept secure and private, they rely on collaboration across all departments and staff members to implement these measures effectively.

For example:

• The IT team is responsible for securing systems, such as locking down folders and managing access controls.
• HR must ensure they follow proper processes and only share information with those who strictly need it.

A DPO provides guidance and oversight, advising on procedures, testing technical controls, and ensuring compliance with data protection regulations. However, the DPO does not implement these measures directly.

In short, protecting personal data is a shared responsibility that requires cooperation across the entire organisation.

How do I appoint a DPO?

1. Step 1: Determine if a DPO is legally required

   Assess whether your organisation is legally required to appoint a Data Protection Officer (DPO) under GDPR. This depends on factors such as the nature of your activities, the type of data you process, and the scale of processing.

2. Step 2: Conduct a data audit

   Perform a rough audit of the volume and types of data your organisation collects and processes. This helps you understand your data protection needs and the scope of the DPO’s responsibilities.

3. Step 3: Decide between in-house or outsourcing

   Determine whether you will hire a dedicated, in-house DPO or outsource the role to an external provider. Consider factors such as cost, expertise, and the complexity of your data processing operations.

4. Step 4: Select a qualified candidate

   Choose a candidate with:
   • In-depth knowledge and experience in data protection law, particularly GDPR.
   • Familiarity with your industry and its specific data protection challenges.
   • A solid understanding of information security practices.

A Data Protection Officer plays a vital role in safeguarding the privacy and rights of your data subjects, including both customers and employees. An experienced DPO helps your organisation maintain compliance with GDPR, protecting it from potential legal repercussions and costly fines.

Our DPOs are cybersecurity experts

At Bulletproof, our DPOs are not only qualified EU GDPR practitioners but also cybersecurity experts with extensive experience. They bring a wealth of data protection knowledge, offering professional training in both GDPR compliance and cybersecurity best practices. Supporting organisations of all sizes and industries, our DPOs excel at navigating the complexities of data protection, ensuring your business remains secure and compliant.