6 min readJul 1, 2021

Running My Business

Does My Company Need A Data Protection Officer?

Although protecting an individual’s data and privacy is important, many business owners are wondering if it is really necessary to appoint a Data Protection Officer for their company. Furthermore, with the UK government exiting from the EU, some entrepreneurs of businesses registered in the UK are also wondering about the revised data protection law.

In this article, we will share about the changes of GDPR and what regulation applies to your business, the roles and responsibilities of a Data Protection Officer, and the importance of appointing one.

Previously, data protection laws in the UK were governed by EU General Data Protection Regulation (GDPR). This means, companies would follow EU GDPR during their collecting, using and processing of data. However, as the UK exited from the EU in January 2021, EU GDPR will no longer apply to the UK companies. Instead, EU GDPR has been incorporated into the UK data protection law, which is also known as UK GDPR.

If your company operates inside the UK and collects data of a UK citizen, you will need to comply with the UK GDPR. But if your company collects and processes data of EU citizens, you will need to comply with EU GDPR.

What Is a Data Protection Officer?

A data protection officer (DPO) is an independent data expert who oversees the security of personal data provided by the consumers and data protection regulations. In other words, a DPO is someone who safeguards precious personal information from external cyber attack and misuse of data. They are the ones who ensure that consumer’s personal data is not compromised.

What Are The Roles And Responsibilities Of A Data Protection Officer?

A DOP is usually in charge of the following tasks:

Inform and advise the company and the staff about the obligations to comply with the UK GDPR and other data protection laws.
Monitor internal compliance with the UK GDPR and other data protection laws.
Manage internal data protection activities.
Raise awareness among staff about data processing and ensure that they comply with the UK GDPR.
Conduct internal audits to ensure compliance and raise potential data protection issues proactively.
Provide advice and monitor the Data Protection Impact Assessments (DPIAs).
Serve as the first point of contact for the Information Commissioner’s Office (ICO) and individuals whose data is being processed.

Likewise, a DPO needs to understand the risk of processing sensitive data while carrying out the above tasks.

When Do I Need To Appoint A Data Protection Officer?

Under the UK GDPR, it is mandatory to appoint a Data Protection Officer if your company falls within these categories:

A public authority or body
Your core activities require large scale, regular and systematic monitoring
Your core activities consist of large scale processing of special categories of data and data relating to criminals offences

A public authority refers to the following:

Government departments
Local government (such as councils)
National Health Service
Maintained schools and higher education sector
Police

Likewise, a public body refers to companies that are owned by the Crown or the wider public sector. If a company that is owned by both the Crown and the wider public sector, it is also considered as a public body.

What Is Considered As Core Activities?

Core activities are defined as the primary business activities of your company. There are companies that require processing of personal data in order to achieve their key objectives.

Tim works in a cooking school that provides cooking and baking lessons to the public. The school collects personal data of students who have signed for lessons. However, they use and process these data to recommend other new lessons to them or share it with third party vendors such as a food & beverage company. These personal data are considered as core activities, as it helps to drive revenue to their cooking school.

A pharmaceutical company processes a special data of the customers who have attended a clinical trial. These special data comprises their health, race, religion and sexual orientation. This can be considered as processing special data on a wide scale.

My Business Is A Small And Medium Enterprise (Sme). Do I Still Need To Appoint A DPO?

It is not mandatory for small and medium size enterprise businesses to appoint a DPO. However, that doesn’t mean they shouldn’t. Though it’s not required under UK GDPR, you may voluntarily do so. Many small and medium size enterprise businesses might not have set aside a budget for a DPO, and believe it is not necessary. But there are many benefits in appointing a DPO. The appointed officer is able to advise you on data processes and raise any potential misuse of data. As more people are sharing their personal data online and instead of getting worried about data being compromised, a DPO will ensure these personal data are protected according to the regulations.

If you have questions about appointing a DPO for your company or want to find out more, drop us a line and we are happy to chat with you!

What Kind Of Qualification Should A Data Protection Officer Possess?

Under the UK GDPR, it doesn’t specify the qualification a DPO should possess. However, a DPO should have the following:

Have experience and expert knowledge of the UK GDPR and other European data protection law.
Able to handle high sensitive data and anticipate any potential issue arising from these data.
Possess a good knowledge of the company’s industry, data protection needs and processing of core activities.

Who Can Be My Company’s Data Protection Officer?

An existing staff member of your company who possesses the knowledge of UK GDPR and able to handle the data collected can be a DPO. For small and medium businesses where there might be a shortage of staff who are trained in this aspect, it is common for them to outsource the role of DPO externally. And that is perfectly fine too. What is more important is that the tasks and the duties must be the same as the one given to an existing staff.

What Information Should I Publish About My Data Protection Officer?

After appointing a DPO for your company, you will need to publish the contact details of your DPO. The purpose of releasing this information is to enable the public and ICO to contact your DPO if they face any issue regarding their personal data.

Will I Be Penalised If My Company Decides Against Appointing A Data Protection Officer?

Perhaps, after some deliberation, your company may have decided not to appoint a DPO either voluntarily or you do not fit the requirements. Under the UK GDPR, there is no penalty if you have decided not to. However it is advisable to record the decision that you have decided not to appoint a DPO as a way to demonstrate your compliance to the regulations.

The Importance Of Appointing A Data Protection Officer

As companies rely on digital technology and personal data to operate their businesses smoothly and effectively, it runs the risk of getting this important information being compromised. Although UK GDPR only requires companies that are a public authority or body to appoint a DPO, it is likely SME companies will soon have to appoint a DPO. This is due to the nature of the data processed and the core activities that the company handles. Companies might handle sensitive personal data at some point during their business transactions. Therefore, it is important to appoint a DPO to oversee your company’s data protection activities. With a DPO, the appointed person is able to review the existing data protection practices and update the processes periodically.

Conclusion

As you can tell, DPO plays an important role in companies today by monitoring internal compliances. Likewise, it is not the size of the companies that matters. What’s important is the amount of data and the scope of activities that the company processes. If you have more questions on how Brexit is affecting your business in the UK, we’ve put together a concise guide of everything you need to know.

EU GDPR vs UK GDPR