A data protection officer is an employee, contractor or company that has been assigned key data protection roles and responsibilities within an organisation. Data protection officers help organisations to ensure personal data are processed lawfully and securely. Some laws, like the EU General Data Protection Regulation (EU GDPR) and UK Data Protection Act 2018 (UK GDPR) oblige organisations to designate data protection officers, in some circumstances.
Read on to learn whether and when your organisation needs to appoint a data protection officer.
Does my organisation need a DPO?
It is good practice for any organisation that handles data important to business processes to have a DPO. However, your organisation will only have a legal duty to appoint a DPO if the following conditions are satisfied:
Your organisation is a public authority or body, other than a court acting in a judicial capacity.
Your organisation’s core activities involve the routine and systematic processing of people’s data on a large scale.
Your organisation processes criminal conviction data on a large scale. For example, by conducting routine employee criminal background checks.
Here are some examples of organisations that need a DPO:
A company that employs 500 people will routinely and systematically process and monitor sensitive personnel records on a large scale and therefore need to appoint a DPO.
A high-street retailer with CCTV cameras in operation in public spaces with heavy footfall will routinely and systematically monitor personal data on a large scale and will need to appoint a DPO.
An average-sized school will routinely and systematically process/monitor pupil data on a large scale, including sensitive data about safeguarding matters and vulnerable children, and will need to appoint a DPO for the school.
What is considered large-scale processing?
“Large-scale processing” is not defined by data protection laws like the EU General Data Protection Regulation (EU GDPR) and UK Data Protection Act 2018 (UK GDPR).
The UK Information Commissioners Office (ICO) has issued the following guidance on the key things you need to consider when determining whether your organisation conducts ‘large-scale’ processing:
• the numbers of data subjects concerned;
• the volume of personal data being processed;
• the range of different data items being processed;
• the geographical extent of the activity; and
• the duration or permanence of the processing activity.
Here is are some basic examples of what large-scale processing IS and is NOT:
Example A – Not large-scale processing
A small business that processes one hundred customer names and email addresses a year to fulfill one off orders and deletes the data once an order is complete is not likely to be considered by the supervisory authority to be conducting ‘large scale’ processing.
Example B – Large-scale processing
A small business processing large volumes of sensitive/special category data belonging to one thousand data subjects in 20 different countries and retaining the data for 30 years as part of a long-term research project – is conducting ‘large-scale’ processing.
What is the role of the DPO?
The role of the DPO may vary depending on the country or countries that the DPO operates.
The tasks that the DPO must complete in the EU and UK are defined by Article 39 (1) and (2) of the EU GDPR as follows:
1. The data protection officer shall have at least the following tasks:
a) inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation [i.e., the GDPR] and to other Union or Member State [post-Brexit, this effectively includes the UK DPA 2018] data protection provisions;
b) monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 [Article 35 of the GDPR contains specific provisions relating to the DPOs role in advising on data protection impact assessments];
d) cooperate with the supervisory authority;
e) act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 [Article 36 of the GDPR contains specific provisions on the requirement to consultant the supervisory authority (e.g., the ICO) when a data protection impact assessment identifies risks that cannot be mitigated], and to consult, where appropriate, with regard to any other matter.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
What is the DPO not responsible for?
In practice, the data protection officer is not responsible for making the controller or processor do anything. The DPO’s role is to inform the organisation they represent of their legal obligations. Provide advice when requested—monitor compliance. And cooperate and act as a contact point with the supervisory authority. It is for the controller to decide whether it wishes to act upon the advice of the data protection officer or not. A good DPO will provide your organisation with reasonable foresight of its data protection risks, make pragmatic recommendations, and provide you with hands on DPO support to mitigate your organisations risks.
Who should be a DPO?
According to the GDPR, an organisation must appoint a data protection officer based on their “professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks [of the DPO]”.
Therefore, your organisation’s DPO should ideally have significant experience implementing complex data protection laws like the GDPR and UK DPA 2018 in practice.
Yes, you can outsource a DPO. The GDPR states that the “data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”
Many organisations choose to appoint a data protection officer through an outsourced DPO as a service contract because they lack the in-house capacity, capability, or desire to fill the role internally.
Who does the DPO report to?
The GDPR or UK DPA 2018 does not specify whom a DPO should report. Each data controller and processor is to decide whom their DPO reports.
In practice, your DPO should report as senior a position within your organisation as is possible. The DPO should report to someone who has the remit to approve significant business decisions and changes, accept risks, and allocate sufficient resources to support your DPO.
What is DPO registration?
DPO registration is the process of ensuring your organistion’s data protection officer is registered with the data protection supervisory authority (e.g., ICO).
Do I need to register a DPO?
You only need to register a DPO with the supervisory authority if your organisation has a legal duty to appoint a DPO.
DPO costs can range from £90 + VAT per hour for relatively junior DPOs that may not have experience advising on complex data processing activities. Up to £650 + VAT per hour for major law firms and consulting firms that provide DPO services.
Exactly how much your organisation will need to spend on a DPO can generally be linked to the level of data protection knowledge and expertise the DPO will require. And whether your organisation chooses to appoint an existing team member to the role, hire a contractor, instruct lawyers, or contract an outsourced DPO service through a reputable DPO as a service provider.
DPO costs example A: Internally employed DPO
Full-time employed DPOs will command a salary between £45,000 to £120,000 per year, depending upon their level of experience and the complexity of the organisation they represent. That does not include any additional DPO employment costs such as pensions, healthcare insurance, Etc.
DPO costs example B: Contracted DPO Consultant
Individual DPO consultants/contractors tend to charge from £90 to £250 + VAT per hour, depending upon their level of experience and expertise.
If your organisation does not process sensitive data or conduct high-risk processing activities, then a relatively junior DPO consultant may be knowledgeable and experienced enough to be your DPO. A decent junior DPO consultant will likely cost your organisation anything from £100 to £125 + VAT.
If your organisation conducts many high-risk processing activities with large volumes of sensitive data across geographic boundaries. In that case, your organisation will likely require a highly experienced senior DPO consultant. Highly experienced senior DPO consultant costs tend to start at £125 + VAT per hour and can go up to £250 + VAT per hour.
If your organisation finds an excellent individual DPO consultant, you should be in a good position. At least for most of the time. The challenge with contracting an individual is continuity. What will you do if an individual DPO consultant is off sick or when they go on holiday? It may not be an issue for small businesses with low-risk processing activities. Still, it would undoubtedly present a risk for larger and more complex organisations. Such organisations would likely gain much better value and continuity of service from an outsourced DPO service company than from an individual DPO consultant.
DPO costs example C: Outsourced DPO as a Service
Outsourced DPO service providers price and charge their services in very different ways. Some outsourced DPO service providers charge by the hour, day, some by the month, some by the quarter, Etc. Outsourced DPO services charge by the hour tend to cost between £125 to £250 + VAT per hour depending on the DPO service provider’s commercial model and seniority of the DPO that it may appoint. DPO services charged by the day tend to cost between £1000 and £1800 + VAT. Most outsourced DPO service providers charge by the month, and tend to charge anything from £350 to £750 + VAT per month, depending on commercial models and level of experience/seniority.
Whichever DPO option you choose for your organisation, its specific DPO costs will depend on its particular data processing activities and risks. The more complex your organisation and the more risks it is exposed to, the more likely your organisation needs to pay for high-quality DPO advice and support. Spending a reasonable amount of money on hire excellent DPO or contracting an excellent DPO as a service is going to be far more cost-effective than leaving your business exposed to data protection risks.
About IG-Smart Ltd
IG-Smart Ltd is a multi-award winning data protection, cyber security, and GDPR consultancy and outsourced DPO as a service provider. Winners of the Lawyer International, Global 100, and UK Enterprise Awards for “GDPR Consultancy of the Year” 2020, and 2021, and “Best Cyber Security Consultancy Firm” 2019, 2020, and 2021.