Hey this is my first time here (interesting service!). I work in compliance but hav eno specific experience from data protection, trying to figure out if we need a DPO.
We are about 200 employees right now but growing fast, we operate in financial services.
Do we have to employ a DPO?
My understanding is furthermore that a can be outsourced, please correct me if I’m wrong.
I agree with what the ladies have already said. If you do require a DPO and decide to appoint internally, it is an important role, for advice and monitoring compliance. Please avoid seeing it as ‘we need one’ and appoint someone in order to tick the box. They must have the correct knowledge skills and experience.
Hi! As Hellen said, in the GDPR there are 3 cases where you have to appoint a DPO (Article 37- if you are a public authority or if your core business activities consist of monitoring data subjects on a large scale or of processing special categories of personal data on a large scale).
Despite that, many organisations appoint a DPO voluntarily. Companies choose to do that either for accountability purposes or for ensuring external parties that the company takes data protection seriously.
If you choose to formally appoint a DPO although you are not required to do so, the GDPR requirements regarding the role will apply, such as ensuring that there is no conflict of interest, that the DPO reports to the highest management level or that the DPO has expert knowledge of data protection laws.
There is a legal definition of when you need a DPO which you will find in Art 37 of the GDPR/UK GDPR and this is often the approach taken when organisations (usually those who don’t want to appoint one!) are looking at the role.
What you need to consider is the risk of processing the data within your business, both in terms of the type and quantity of data that you manage and also the reputational/organisational problems if you have a breach of any type.
Also, if processing data safely and securely is the backbone of your business, then it makes sense to have a ‘data guardian’ in place. Think of a DPO as being your own (very useful) internal watchdog with your best interests at heart.
Outsourcing this role is something that a lot of organisations do – so perfectly normal practice.