Skip to main content

GDPR, The Data Protection Officer: do you need to appoint a dedicated officer?

19 September 2018

Make an enquiry

The GDPR contains a large section about Data Protection Officer (DPO) requirements: it reads almost like an extensive job description with detailed information on appointment, position and tasks of the DPO. But how do you know if a DPO is mandatory for your organisation and whether you should consider outsourcing the DPO role?

Appointment of a DPO is mandatory for companies who are:

  • a public authority
  • regularly and systematically monitoring data subjects on a large scale
  • processing special categories of data (medical/ethnic)

Think of companies which are state financed or owned with a focus on tracing or monitoring  individuals through portable devices; companies with customer loyalty programmes; or organisations in the health care environment.

Even if you don’t meet the mandatory DPO criteria, you can chose to appoint a DPO voluntarily, you might base this decision on on best practice for your specific business sector.

Why outsource your DPO?

Once you’ve decided to appoint a DPO, you might consider whether appointing an external DPO would be more suitable than appointing someone from within your organisation. Outsourcing a DPO can be the best option if you’re searching for a part-time, cost effective solution; if your organisation needs independent expertise; or you want to avoid any possible conflict of interest. An outsourced DPO can provide your organisation with best practice guidance and independent sector expertise to help you comply with the GDPR requirements. By outsourcing the DPO, your organisation can benefit from an independent contact person towards the supervisory authority.

Find out more, get in touch with our experts.