Follow us on social media and share your feedback

App store Google play
UK
  • Singapore
  • Hong Kong
  1. East river Blog UK
  2. Does My Company Need A Data Protection Officer?

Author Renee YangRenee Yang

6 min read
Running My Business

Does My Company Need A Data Protection Officer?

Although protecting an individual’s data and privacy is important, many business owners are wondering if it is really necessary to appoint a Data Protection Officer for their company. Furthermore, with the UK government exiting from the EU, some entrepreneurs of businesses registered in the UK are also wondering about the revised data protection law.

In this article, we will share about the changes of GDPR and what regulation applies to your business, the roles and responsibilities of a Data Protection Officer, and the importance of appointing one.

Skip to:

EU GDPR vs UK GDPR
What is a Data Protection Officer?
What Are The Roles And Responsibilities Of A Data Protection Officer?
When Do I Need To Appoint A Data Protection Officer?
What Is Considered As Core Activities?
My Business Is A Small And Medium Enterprise (Sme). Do I Still Need To Appoint A DPO?
What Kind Of Qualification Should A Data Protection Officer Possess?
What Information Should I Publish About My Data Protection Officer?
Who Can Be My Company’s Data Protection Officer?
Will I Be Penalised If My Company Decides Against Appointing A Data Protection Officer?
The Importance Of Appointing A Data Protection Officer
Conclusion

EU GDPR vs UK GDPR

Previously, data protection laws in the UK were governed by EU General Data Protection Regulation (GDPR). This means, companies would follow EU GDPR during their collecting, using and processing of data. However, as the UK exited from the EU in January 2021, EU GDPR will no longer apply to the UK companies. Instead, EU GDPR has been incorporated into the UK data protection law, which is also known as UK GDPR.

If your company operates inside the UK and collects data of a UK citizen, you will need to comply with the UK GDPR. But if your company collects and processes data of EU citizens, you will need to comply with EU GDPR.

What Is a Data Protection Officer?

A data protection officer (DPO) is an independent data expert who oversees the security of personal data provided by the consumers and data protection regulations. In other words, a DPO is someone who safeguards precious personal information from external cyber attack and misuse of data. They are the ones who ensure that consumer’s personal data is not compromised.

What Are The Roles And Responsibilities Of A Data Protection Officer?

A DOP is usually in charge of the following tasks:

  1. Inform and advise the company and the staff about the obligations to comply with the UK GDPR and other data protection laws.
  2. Monitor internal compliance with the UK GDPR and other data protection laws.
  3. Manage internal data protection activities.
  4. Raise awareness among staff about data processing and ensure that they comply with the UK GDPR.
  5. Conduct internal audits to ensure compliance and raise potential data protection issues proactively.
  6. Provide advice and monitor the Data Protection Impact Assessments (DPIAs).
  7. Serve as the first point of contact for the Information Commissioner’s Office (ICO) and individuals whose data is being processed.

Likewise, a DPO needs to understand the risk of processing sensitive data while carrying out the above tasks.

When Do I Need To Appoint A Data Protection Officer?

Under the UK GDPR, it is mandatory to appoint a Data Protection Officer if your company falls within these categories:

  • A public authority or body
  • Your core activities require large scale, regular and systematic monitoring
  • Your core activities consist of large scale processing of special categories of data and data relating to criminals offences

A public authority refers to the following:

  • Government departments
  • Local government (such as councils)
  • National Health Service
  • Maintained schools and higher education sector
  • Police

Likewise, a public body refers to companies that are owned by the Crown or the wider public sector. If a company that is owned by both the Crown and the wider public sector, it is also considered as a public body.

What Is Considered As Core Activities?

Core activities are defined as the primary business activities of your company. There are companies that require processing of personal data in order to achieve their key objectives.

Tim works in a cooking school that provides cooking and baking lessons to the public. The school collects personal data of students who have signed for lessons. However, they use and process these data to recommend other new lessons to them or share it with third party vendors such as a food & beverage company. These personal data are considered as core activities, as it helps to drive revenue to their cooking school.

A pharmaceutical company processes a special data of the customers who have attended a clinical trial. These special data comprises their health, race, religion and sexual orientation. This can be considered as processing special data on a wide scale.

My Business Is A Small And Medium Enterprise (Sme). Do I Still Need To Appoint A DPO?

It is not mandatory for small and medium size enterprise businesses to appoint a DPO. However, that doesn’t mean they shouldn’t. Though it’s not required under UK GDPR, you may voluntarily do so. Many small and medium size enterprise businesses might not have set aside a budget for a DPO, and believe it is not necessary. But there are many benefits in appointing a DPO. The appointed officer is able to advise you on data processes and raise any potential misuse of data. As more people are sharing their personal data online and instead of getting worried about data being compromised, a DPO will ensure these personal data are protected according to the regulations.

If you have questions about appointing a DPO for your company or want to find out more, drop us a line and we are happy to chat with you!

What Kind Of Qualification Should A Data Protection Officer Possess?

Under the UK GDPR, it doesn’t specify the qualification a DPO should possess. However, a DPO should have the following:

  1. Have experience and expert knowledge of the UK GDPR and other European data protection law.
  2. Able to handle high sensitive data and anticipate any potential issue arising from these data.
  3. Possess a good knowledge of the company’s industry, data protection needs and processing of core activities.

Who Can Be My Company’s Data Protection Officer?

An existing staff member of your company who possesses the knowledge of UK GDPR and able to handle the data collected can be a DPO. For small and medium businesses where there might be a shortage of staff who are trained in this aspect, it is common for them to outsource the role of DPO externally. And that is perfectly fine too. What is more important is that the tasks and the duties must be the same as the one given to an existing staff.

What Information Should I Publish About My Data Protection Officer?

After appointing a DPO for your company, you will need to publish the contact details of your DPO. The purpose of releasing this information is to enable the public and ICO to contact your DPO if they face any issue regarding their personal data.

Will I Be Penalised If My Company Decides Against Appointing A Data Protection Officer?

Perhaps, after some deliberation, your company may have decided not to appoint a DPO either voluntarily or you do not fit the requirements. Under the UK GDPR, there is no penalty if you have decided not to. However it is advisable to record the decision that you have decided not to appoint a DPO as a way to demonstrate your compliance to the regulations.

The Importance Of Appointing A Data Protection Officer

As companies rely on digital technology and personal data to operate their businesses smoothly and effectively, it runs the risk of getting this important information being compromised. Although UK GDPR only requires companies that are a public authority or body to appoint a DPO, it is likely SME companies will soon have to appoint a DPO. This is due to the nature of the data processed and the core activities that the company handles. Companies might handle sensitive personal data at some point during their business transactions. Therefore, it is important to appoint a DPO to oversee your company’s data protection activities. With a DPO, the appointed person is able to review the existing data protection practices and update the processes periodically.

Conclusion

As you can tell, DPO plays an important role in companies today by monitoring internal compliances. Likewise, it is not the size of the companies that matters. What’s important is the amount of data and the scope of activities that the company processes. If you have more questions on how Brexit is affecting your business in the UK, we’ve put together a concise guide of everything you need to know.

Share this post:
Tags:

Tips to run your business smarter.
Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

You might like it

Tax

How To Reduce Taxable Income for Small Businesses

As a business owner, you can’t escape paying taxes. But what kind of taxes would you have to pay, and how are you taxed?

8 min read
E-commerce

5 E-Commerce Niches To Pay Attention To

If you’re just starting or looking to go in a new direction, finding a lucrative niche will make every part of running your e-commerce business easier. This article will look at the trending e-commerce niches to consider.

8 min read
Running My Business

13 Types Of Small Business Loans That Could Help Grow Your Company

There are many reasons why opting for a small business loan could be beneficial, offering an important injection of cash when you really need it. And the good news is there are lots of different types of business loans in the UK.

12 min read
Incorporation

How To Choose a Company Name for First Time Business Owners

If you’re setting up a company in the UK, one of the first steps to get your business up and running is to choose a name for your company. A company’s name and logo determines how your potential customers and partners view your company.

6 min read
Accounting

How UK E-Commerce Owners Wrongly Account for Cost of Goods Sold

Are you trying to understand why your e-Commerce cost of goods sold is too high? If you are struggling to know how to calculate this to find whether there are any mistakes, this article can help you find a solution.

5 min read
Customer Stories

How Foggywipe Grew Sales Instead Of Spending 300 Hours A Year On Accounting

Webb had good sales coming to his online shop especially when he launched Facebook ads. However, when it came to bookkeeping and accounting, he had no clue about what to do.

2 min read
Running My Business

How To Transfer Shares As a Private Company

In a UK company, shares are often transferred from one shareholder to another. Depending on your business model and how you wish to proceed, you may want to issue, allocate, or transfer shares.

5 min read
Running My Business

Is Cryptocurrency Right for Your Business Operations?

There are more than 4,000 cryptocurrencies that exist. Before you jump on the bandwagon, assess whether cryptocurrencies are suitable to be used in your business.

8 min read
Entrepreneur's Bootcamp

What Are Directors' Duties In The UK?

We bring you through what kind of directors there are, who can become a company director, a director’s duties and what the role entails.

5 min read
Entrepreneur's Bootcamp

A Guide to Opening Your First Business Bank Account in the UK

If you are a small business owner, you are not required legally to have a corporate bank account. However, opening your corporate bank account has its advantages and can help you keep your accounts clean.

8 min read
E-commerce

10 Tips How To Sell Digital Products Online

Digital products are easier to sell than physical products. There is no need to keep stock or worry about expiration dates, packaging, or shipping. You earn revenue as long as you keep them available for download online. Pretty attractive, what say you?

10 min read
E-commerce

7 Best Ways To Accept Payments For Your Online Store

Many payment options allow you to accept credit cards and other payment types. How do you choose which method to include on your website?

15 min read

Tips to run your business smarter. Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

We’re using cookies! What does it mean?