The DPO will be someone in your organisation, or a 3rd party specialist contracted to your organisation who will take the responsibility for your data protection compliance. (This does not pass this responsibility out of your care so much as ensure that there is an expert on the field able to handle the data security responsibilities of your organisation).
Under certain circumstances, you must appoint a DPO where you are:
- A public authority (except for courts acting in the judicial capacity)
- carrying out large scale regular and systematic monitoring of individuals (eg online behaviour tracking)
- carrying out large scale processing of Special Categories of data or data relating to criminal convictions and offences.
You may choose to have a DPO voluntarily if it is useful to you.
The DPO’s role is to:
- inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
- monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, awareness raising and training of staff and conducting internal audits
- advise on and monitor data protection impact assessments
- act as the contact point for, and to cooperate with the ICO, and to consult on any data protection matter ie when a data breach occurs
- be the contact point for individuals whose data is processed (employees, customers etc).
The DPO will need to work apart from the organisation while reporting to the highest management level/Board, and be given such resources by the organisation as are necessary for the organisation to meet its GDPR obligations.
Note that the DPO will need to have the power to report to the ICO independent of the organisation. This means that the DPO is effectively a spy for the ICO, paid for by the organisation, with resources supplied by the organisation, reporting on the organisation without restraint from the organisation.