Data Protection Officer FAQs (and answers) - Cribb Cyber Security

Here are some Data Protection Officer FAQs that our team has often fielded. For those who aren’t familiar with the role a DPO plays in an organisation, that is broken down for you. If you are unsure whether or not you require a DPO, that should also become clear.

What is the role of the DPO?

The DPO is responsible for communicating with the Supervisory Authority on all matters or enquiries related to compliance. In the UK, the authority is The Information Commissioner’s Office (ICO),

The DPO must also ensure that the organisation is aware of their obligations under Data Protection law and regulations. They must guide them on what it means to be a data controller or data processor and what is expected from each.

Compliance with data protection provisions, including GDPR, is of paramount importance. Many organisations are required to have policies, procedures and regular training in place. The DPO must oversee and provide guidance with this via assurance and audit activity. The ideal scenario is to implement data privacy by design and the DPO is key to this by providing advice on Data Protection Impact Assessments (DPIAs).

What responsibilities does a DPO have?

There are many different aspects to deal with as a DPO. Typically, these include but are not limited to:

  • ICO registration
  • Data breach support and response
  • Subject Access Request support (SAR)
  • Policy and procedure support and advice
  • Data Protection Impact Assessments advice (DPIAs)
  • Information security awareness training

Does my organisation need to appoint a DPO?

If the organisation is a public authority or body, then the answer is ‘yes’. If there is large-scale processing of sensitive data*, or regular and systematic monitoring of individuals, then it is ‘yes’ again.

Organisations for which these do not apply are still urged to appoint a DPO by the ICO, however. This is to comply with the GDPR and to manage data protection.

*Sensitive data is defined thusly under the GDPR: “Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

Who needs to comply with the GDPR?

Any organisation which processes the personal data of people in the European Union. Processing here can refer to the collection, storage, transmission and analysis of data. By ‘personal data’, we refer to any information relating to a person; for example, their names, email addresses, physical attributes and personal affiliations.

It is important to note that an organisation does not need to be connected to the EU itself to comply. It must do so if it processes the personal data of people in the EU. Another key point is that post-Brexit, GDPR is still required in the UK. To that end, the UK General Data Protection Regulation (UK GDPR) has been developed, tailored by the Data Protection Act 2018.

One other noteworthy point is this; should your organisation be an English one servicing data subjects from the EU, then you are required to appoint an EU representative. This is so even if you have an English DPO appointed. So, to be clear, in certain circumstances, both DPA 2021 and GDPR 2018 come into play.

Who then can be a DPO?

A DPO can be either an existing employee or an externally appointed figure. They must be an expert in data protection and crucially, the DPO must be an independent entity. This latter point is often the driving force behind why so many organisations choose to outsource their DPO. For example, it should not be an IT Manager or Accountant, who have a vested interest in the environment and the costs which protect the environment.

Should we outsource our DPO?

If we are going by the aforementioned point, then the answer is ‘yes’. Also, outsourcing your DPO can be far more cost effective than an internal hire as you save on holidays and overheads. The decision to outsource a DPO is typically also made to leverage external resources, experience and ability, rather than relying upon one individual.

We hope that our Data Protection Officer FAQs will be of use to you, particularly if this is an area you are yet to explore. If you require help with DPO services, then our team of experts would be delighted to help.

Find additional FAQs and discover more about CRIBB’s DPO as a Service offering.