Skip to main content

News

We are now offering Virtual Training to customers, if you are interested please visit the Virtual Training page and contact us igs@essex.gov.uk.  

Spotlight on........Data Protection Officers 

Does your organisation need to appoint a Data Protection Officer?  The Data Protection Act 2018, which applies the UK GDPR, introduced the statutory post of the Data Protection Officer (DPO). The law (article 37) requires organisations to employ a DPO where: 

  • They are a Public Body (except Courts acting in their judicial capacity) 
  • They carry out regular and systematic monitoring of data subjects on a large scale 
  • They process large volumes of special category personal data, or data relating to criminal convictions and offences 

The role of the DPO is to advise on, and monitor, compliance with data protection legislation. They act as a single point of contact for the Information Commissioners Office (the regulator).  The Data Controller is required to support the DPO in performing their tasks by providing the resources necessary to carry out those tasks. The Data Controller cannot instruct the DPO on the exercise of their tasks and cannot dismiss or penalise them for performing their tasks. The DPO must report to the highest management level of the Data Controller. 

The DPO can fulfil other tasks and duties so long as there is no conflict of interest.  For this reason the DPO should not undertake other roles which enable them to set policy or make decisions about how or why personal data will be processed by the organisation. 

The DPO must be designated on the basis of professional qualities and expert knowledge of data protection law and practices. 

This statutory post can be fulfilled in a number of ways: 

  • An employee with the appropriate level of knowledge and skill 
  • Outsourced on the basis of a service contract 
  • A group of affiliated organisations may appoint a single DPO so long as that DPO is easily accessible to each establishment. 
  • A group of legally affiliated organisations may appoint a single DPO so long as that DPO is easily accessible to each establishment. 

It is important that those who fulfil the DPO role are appropriately trained to understand their duties, and they are required to maintain their expert knowledge.  

If you want to refresh your knowledge or seek to gain it, we offer virtual Data Protection Officer training sessions.  We also provide a Data Protection Officer Service.  Please contact us at IGS@essex.gov.uk for further information.