Data Protection Officer



DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.

The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.

The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.

A DPO can be an existing employee or externally appointed.

In some cases several organisations can appoint a single DPO between them.

DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.

Do we need a Data Protection Officer?

You need a Data Protection Officer under the GDPR if the following applies:

you are a public authority (except for courts acting in their judicial capacity);

your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or

your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.

What do the Information Commissioners Office (ICO) mean by Core Activities?

your core activities consist of processing activities, which, by virtue of their nature, scope and / or their purposes, require the regular and systematic monitoring of individuals on a large scale; or

your core activities consist of processing on a large scale of special category data, or data relating to criminal convictions and offences.

Your core activities are the primary business activities of your organisation. So, if you need to process personal data to achieve your key objectives, this is a core activity. This is different to processing personal data for other secondary purposes, which may be something you do all the time (eg payroll or HR information), but which is not part of carrying out your primary objectives.

Who should be a Data Protection Officer

The GDPR says that you should appoint a DPO on the basis of their professional qualities, and in particular, experience and expert knowledge of data protection law.

It doesn’t specify the precise credentials they are expected to have, but it does say that this should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.

So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide effective oversight.

It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.

Can we outsource a Data Protection Officer to 2414 Group

Absolutely, we have been providing GDPR Training and Consultancy Services relating to GDPR for well over a year now. If you don't have the time, ability or expertise to roll out GDPR then you can outsource this to us. Depending on your size, scale of data and how you process it depends on how much time you will need to outsource to us. It can be as little as one day every year to one day ever month. There may be an initial set up and process to get you GDPR ready but it is best to give us a call or drop us an email to discuss. Call us now on 0333 666 4446 or email

How do we support an Outsourced Data Protection Officer?

the DPO is involved, closely and in a timely manner, in all data protection matters;

the DPO reports to the highest management level of your organisation, ie board level;

the DPO operates independently and is not dismissed or penalised for performing their tasks;

you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;

you give the DPO appropriate access to personal data and processing activities;

you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;

you seek the advice of your DPO when carrying out a DPIA; and

you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.