Under the GDPR, you must appoint a data protection officer (DPO) if you:
• Are a public authority (except for courts acting in their judicial capacity);
• Carry out large scale systematic monitoring of individuals; or
• Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
It is recommended that private organisations carrying out public tasks or exercising public authority designate a DPO.
Those who must appoint a DPO include (non-exhaustive list):
• Insurance brokers
• Financial services,
• Security companies
• Health care providers (doctors, dentists, chiropractors, physiotherapists etc)
• Marketing agencies
• Telephone or internet services providers
• Email retargeting
• Loyalty programmes
• Tracking apps
• CCTV user
• Schools and academies
• Some charities
What are the tasks of the DPO?
• Inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
• Provide advice and guidance on data protection issues
• Monitor compliance with the GDPR and other data protection laws
• Draft policies and processes
• Manage internal data protection activities
• Advise on data protection impact assessments
• Train staff
• Conduct internal audits
• To be the first point of contact for the ICO
• To be the first point of contact for individuals whose data is processed (employees, customers etc).