Under GDPR, you must appoint a data protection officer (DPO) if you
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
If your business does not perform any of the above, it may still decide to voluntarily appoint a DPO. However, even though in this regard it would not be mandatory, there is no ‘DPO-lite’. There is an obligation in Article 37(5) to ensure you appoint a person who is adequately resourced and has “expert knowledge of data protection law and practices” and on the basis of their “professional qualities”.
The guidelines suggest that the level of expertise “must be commensurate with the sensitivity, complexity and amount of data an organisation processes” and that prospective DPOs “should have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.” It is expected that experience would be garnered from backgrounds that include risk management, legal and accreditation from processes such as ISO27001, CIPP-E certifications, etc.
The ICO provides guidance useful in respect of DPOs at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/
Contact our Data Protection and GDPR Solicitors Liverpool, Wirral, Merseyside and Across England & Wales