Data protection officers and their responsibilities


If you haven’t done so already, then you are going to need to appoint someone to take responsibility for this. It is a mandatory requirement to formally appoint a Data Protection Officer (DPO) under the GDPR’s where

  • you are a public authority (except for courts acting in their judicial capacity) or
  • you are an organisation that carries out regular and systemic monitoring of individuals on a large scale or
  • you are an organisation that carries out the large scale processing of special categories of data, such as health records or information about criminal convictions.

In terms of governance, it is important that a DPO is independent and that they report directly to the highest management level of an organisation. This is to secure buy-in at executive level to ensure the required resources and budgets are available to comply with the legislation.

A DPO’s contact details must be provided to the supervisory authority (in this country that authority is the Information Commissioners Office, or ICO) and the position requires that they have expert knowledge of data protection legislation and practices.

The role of a DPO is to inform and advise the controller or processor and employees processing personal data of their legal obligations and to monitor the compliance of the GDPR’s through regular training and audits. They must cooperate with, and be a contact point for, the ICO and must provide advice in relation to Data Protection Impact Assessments (DPIA).

A DPO will drive momentum on internal reviews of current policies and procedures to ensure that they are GDPR compliant and that they are adequately documented. They should be the primary contact point for notification of a data breach.

If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.

Data Protection Officers Checklist

  • Who is responsible for data protection in your organization?
  • Do you carry out systematic monitoring of individuals on a large scale?
  • Do you carry out large scale processing of special categories of data (sensitive personal information)?
  • Have you developed and rolled out data protection training to all personnel?
  • Has your appointed DPO received the necessary training to fulfill their role?
  • Do you have more than one establishment and are these cross borders? Consider whether more than one DPO is required.
  • How you will support the DPO with the necessary resources?