Appointing a DPO is a legal requirement for some types of organisation

Preparing for GDPR – Appointing Your Data Protection Officer

Appointing a Data Protection Officer is an essential part of compliance with GDPR for some organisations


With just over a year to go until the implementation of the General Data Protection Regulation (GDPR) one of the tasks to get started with for certain types of organisations is the appointment of a Data Protection Officer (DPO).

The Article 29 Data Protection Working Party (WP29) has recently published some useful guidance (5 April 2017) that describes the DPO as being at the “heart of this new legal framework”, and this blog summarises key elements of the guidance and associated annex.


Who is required to appoint a DPO?

There are 3 cases where it is mandatory for a DPO to be appointed by a Controller and a Processor (Article 37(1)):

  1. Where the processing is carried out by an organisation considered to be a public authority or body except for courts acting in their judicial capacity. The WP29 guidance suggests that, as good practice, private organisations carrying out public tasks (such as energy supply, public housing and others) should also designate a DPO.
  2. Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. The WP29 guidance defines “core activities”, “large scale”, as well as what constitutes “regular” and “systematic”, and discusses useful examples such as the use of closed circuit television.
  3. Where the core activities of the controller or the processor consist of processing on a large scale of special categories (Article 9) of data or personal data relating to criminal convictions and offences. As above, the WP29 guidance has some useful examples of what processing is likely to fall within this definition.

Unless obvious, the WP29 guidance recommends organisations should conduct “internal analysis” to determine whether a DPO is to be appointed.


If a DPO is not mandatory for our organisation, should we still appoint one?

Organisations can voluntarily appoint a DPO.  However, it should be noted that the WP29 guidance states that where a DPO is designated on a voluntary basis, the requirements laid down under Articles 37 to 39 will apply as if the designation had been mandatory.  This means that if you do not have to appoint a DPO, roles should only be given the title of DPO if they will be tasked with all obligations laid down in the Articles above.  They are also responsible for all processing operations carried out by the organisation with regard to personal data, meaning that you cannot be selective about which processes the DPO may cover.


The tasks of the DPO are laid down by the GDPR.

What are the DPO’s responsibilities?

 Tasks of the DPO are laid down by Article 39(1) and are summarised below.  These are to:

  • Inform and advise the Controller or the Processor and the employees who are processing personal data of their obligations under the GDPR;
  • Monitor compliance with the GDPR;
  • Provide advice regarding data protection impact assessments and monitor their performance;
  • Cooperate with the supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK;
  • Act as the contact point for the ICO on issues related to the processing of personal data.

Article 39(2) requires the DPO to have a risk-based approach to undertaking their duties, taking into consideration the nature, scope, context and purposes of processing operations.  The accessibility of the DPO should also be effective, with the controller or processor required to publish the contact details of the DPO and also provide them to the ICO.

It is important to note that a DPO is not personally responsible for compliance with the GDPR.  This remains the responsibility of the Controller or Processor (Article 24(1)).  There are additional organisational responsibilities with regard to the DPO and these will be covered in a later blog.


Who can be a DPO?

 Article 37(5) states that the DPO, who can be a staff member or contractor, “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39”.  The WP29 guidance states that although required level of expertise is not defined, “it must be commensurate with the sensitivity, complexity and amount of data an organisation processes”.

 It is worth noting that although Article 38(6) allows DPOs to “fulfil other tasks and duties”, an organisation must ensure there is no conflict of interest.  The WP29 guidance suggests this will depend on each organisation although may preclude senior management such the Chief Executive, Chief Financial Officer, Head of Human Resources, and Head of IT amongst others from the role of DPO.


data protection training
Effective training will continue to be essential to ensure compliance with data protection legislation.

What should I do next?

 The first step is to identify whether a DPO is required in your organisation and, if so, who should fill the role.  You should check the text of the GDPR, the WP29 guidance, and also the information available from the Information Commissioner’s website on DPOs to make sure you understand how these requirements will apply to your organisation.

You can then begin the process of recruitment, contracting and training new and existing staff as appropriate.  It is essential that your organisation has developed the necessary competencies to comply with the GDPR by 25 May 2018.  Training is a key organisational measure in preparing for the GDPR and Tkm can help.  If you are interested in training for DPOs please contact us.

Tkm is in the process of adding accredited data protection qualifications to their portfolio and also delivers in house training that can be fully customised according to your business sector and the individual learning needs of your staff.

Look out for our next blog which will provide some guidance on choosing the right training for your organisation, helping to ensure best value for money.

The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.

Tkm – helping you manage your information.

exploit – protect – comply

Preparing for GDPR – Let’s Get Started

I couldn’t help but smile over the Christmas break when the other half was playing with their latest gadget, a well-known Voice Service speaker.  Having started to become familiar with how it operated, the requests were getting shorter and shorter.  It would appear that manners are included for free – when the commands were eventually reduced to a single word, the speaker responded with “that wasn’t a very nice way to ask” and the request had to be rephrased before being actioned!

The technology in these devices is amazing although it once again highlights the increasing issues with privacy.  Devices are constantly “listening” and monitoring the environment, collecting data about the way in which we are choosing to live our lives.  And how many of us actually check what happens to this data or take any steps to control how it is used?  We have already seen a case in the USA where the police have issued warrants for the data collected by such a device.  While they were refused, the police were still able to extract the data they were looking for from the device itself, and I am sure a cases will follow in the UK.

The explosion of new technology highlights the need for reform of privacy-related laws, and the General Data Protection Regulation (GDPR) will offer much greater control than existing laws.  With less than 18 months until it comes into effect, it is time to begin preparations.  It is a fairly complex piece of legislation with potentially significant implications so where do we start?

This blog is going to go back to basics, discussing what information falls within the GDPR.  This will inform and underpin many of topics discussed in later blogs as well as provide an opportunity for you to assess your readiness for the GDPR.

Relevant Key Terms

We are going to start by briefly discussing the key terms used in this blog and their interpretation.   The first terms to be considered are “personal data” and “controller”.

personal informationThe definition of personal data is broadening from the existing definition under the Data Protection Act 1998 (DPA 1998) (see Note 1).  The GDPR applies to personal data which is defined as (Article 4):


“…any information relating to an identified or identifiable natural person”.


The definition goes on to state that an identifiable person is one who can be identified directly or indirectly by reference to an identifier, and includes online identifiers.

If you are responsible for personal data, you are likely to currently be considered a data controller.  The term “controller” and its definition is essentially retained under GDPR, which states the controller:


“…determines the purposes and means of the processing of personal data”.


Alongside identifying any responsibilities for personal data, it is also important to identify what personal data your organisation is processing, as they may not necessarily be the same.  The term “processing” essentially covers anything you do with information, including collection and storage (see Note 2).

Where an organisation is processing personal data on behalf of a data controller, they are likely to currently be considered a data processor.  The term and meaning of “processor” is retained by the GDPR although there are new responsibilities for data processors which will be discussed in future blogs (see Note 3).

Documenting Your Organisation’s Personal Data

word_informationBefore we can start on compliance activities, the crucial first step is to identify the personal data for which your organisation is responsible, as well as personal data being processed by your organisation.  This may seem obvious and straightforward, and often can be, although it is always worthwhile spending some time auditing activities to determine exactly where personal data is held, and why and how it is processed.

There are many different ways of auditing the information held by your organisation.  The audit needs to establish the properties of personal data, which will help determine levels of compliance and what changes need to be made.  It is recommended that the interpretation of personal data is as wide as possible at this stage to ensure nothing is missed.  If information allows or enables people to be identified, including information that requires a secondary source to make that identification, it should be documented as personal data.

Under GDPR there is much more of a focus on accountability, which places a greater emphasis on knowing where your personal data came from, and where it goes.  Therefore rather than looking at static datasets and collections of information, it may be more effective to base the audit on business processes and looking at inputs and outputs.  In addition to identifying the information associated with that process, this approach will also enable you to understand how data flows through your organisation.


It will be important to document as much as you can about how personal data is managed.  For each business process, this should include:

  • Personal data held by your organisation. If not already known, it would also be helpful to note whether your organisation is likely to be considered the data controller, and the format in which it is held;
  • Personal data held and processed on your behalf by a third party. GDPR is likely to require changes to existing contracts and this will be revisited in a later blog;
  • Personal data being processed by your organisation on behalf of a third party;
  • The purposes for which personal data is processed. Remember that different parts of your organisation may be using the same information for different purposes and each purpose should be documented;
  • How personal data is processed and any resulting changes to that dataset or information. It will also be important to identify whether there is any automated processing and who can access the data;
  • How long personal data is kept and how it is destroyed;
  • Sources of personal data, and whether personal data from your organisation is made available or accessible to a third party;
  • It would also be helpful to document existing safeguards in place such as contracts, data processing agreements, or data sharing agreements, and which role in your organisation has overall responsibility for the personal data you identify.

There are many ways to approach the audit or review and the most appropriate method for your organisation is likely to depend upon many factors including size and type of business activity (see Note 4).  You may wish to create an information asset register (IAR), which can be developed and updated as the various measures for compliance are implemented.  This type of document should provide you with current high level risks of non-compliance to your organisation, as well as provide a record of the measures taken to ensure compliance.

data protectionRemember, GDPR builds on existing data protection legislation and organisations should already be compliant with the DPA 1998.  Once you have documented your personal data, it would be useful to do a check on current compliance, and identify whether any immediate actions are required.

We are going to use this information in a number of future blogs to assess your readiness for the GDPR so make sure you keep it handy.  Questions, comments, feedback and special requests are always welcome.


Note 1: The current definition of personal data and guidance on its interpretation is available from the Information Commissioner’s (ICO) website.  The ICO is the UK regulator for the Data Protection Act 1998 and will also regulate the GDPR.

Note 2: ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Note 3: Data controllers are currently responsible for ensuring any processing of personal data for which they are responsible complies with data protection legislation.  GDPR introduces distinct requirements for data processors which will be covered in a later blog, and it is important to understand your role with regard to personal data that your organisation is processing from the outset.

It is possible for an organisation to be a data controller and a data processor.  For example, if you are an organisation providing employment services for others such as HR services to other organisations, you are likely to be a data controller for your own client (where they are individuals, sole traders or partnerships) and employee information.  You are also likely to be a data processor of personal data relating to third party employees.

In practice, these relationships can often be extremely complex.  The relationship should be documented by contract and further guidance on this is available from the ICO’s website.

tkm_logo150Note 4: The first place for guidance is always the ICO’s website.  There are also the relevant BSI standards which relate to managing records and information.  For a more detailed approach using business process, there is some useful guidance in DIRKS  This was written primarily for Australian public sector organisations, however, the principles can be applied to any organisation and it is widely accepted as best practice.  If you are interested in Tkm to providing this service for your organisation and assessing your readiness for the GDPR, please get in touch.

The material contained in this article constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.

Managing information and knowledge assets – exploit – protect – comply
Managing information and knowledge assets – exploit – protect – comply


Certain information must be provided to data subject under the GDPR.

Laws on Using Personal Information Are Changing. Are You Ready?

The Current Situation

As many of us will already know, if we use personal information we are likely to be subject to data protection laws that govern the way in which we are able to use that information.  Whether we have a simple contacts and appointments book as a self-employed or freelance worker, post pictures on social media promoting our business or charity, or have many thousands of individual client records within a large business, we are likely to be required to comply with the Data Protection Act 1998.

While some organisations have excellent standards of compliance, I think it would be fairly safe to say that many remain unaware of their obligations under the legislation and, perhaps for some, even that the law exists or that it applies to them.  Arguably that has been due, at least in part, to the minimal risks facing most from non-compliance.  The Information Commissioner’s Office (ICO) can and does issue fairly significant fines, and we have recently seen Talk Talk given a record £400k fine for failing to appropriately secure personal information.  However, for many, the circumstances that give rise to these headline-grabbing penalties are likely to seem a world away from their own operations.

What is Changing?

personal information
Significant changes to the way in which you need to manage personal information are on their way.

Every organisation that uses personal information should be aware that the most significant change to data protection law in decades is on the horizon.  After a time of uncertainty, the way forward for the implementation of the General Data Protection Regulation (GDPR) seems to be emerging.  The new EU Regulation on data protection was adopted earlier this year, becoming effective in all EU member states in May 2018.

Being an EU Regulation, naturally there was some confusion (and, perhaps for some, wishful thinking!) about whether it would actually come into force following the Brexit vote.  However, we now have confirmation that the ICO considers the Regulation as being in force (just not in effect), as well as the widely reported proposal from the UK Government that all existing EU legislation will be transposed into domestic legislation by the Great Repeal Bill.

The UK Government may chose to amend some aspects of certain EU Regulations although in the case of GDPR, most are unlikely to be in a position where they can afford to wait and see what happens.  With fines in the new legislation of up to an eye-watering 4% of annual global turnover or €20M, there can now be little doubt that it is definitely time to get started with changes required to implement the new standards.  We also need to remember that the Regulation (in its current form) is highly likely to come fully into force before we leave the EU.

What Does My Organisation Need To Do?

This blog will help you prepare for the new data protection legislation and manage key risks to your organisations.

We will be issuing a regular blog that looks at the practicalities of implementing new requirements, draws together any relevant advice and guidance that has been issued, and keeps you informed on the meaning of any legislative change that could effect implementation.  Topics that will be covered will specifically discuss some of the new GDPR requirements and will include:

  • Implementing a breach reporting procedure that informs the ICO and people where their data has been put at risk;
  • The practical implications of the “right to be forgotten”.  Individuals can request, at any time, that information you hold about them is deleted and you must be able to comply with this request unless there are legitimate grounds to continue holding it, for example, for tax purposes.  By implication, you will need to know what information you are holding, how long you need to hold it for, when you are able to destroy it, and provide confirmation it has been destroyed, which is arguably already a requirement under existing legislation;
  • The meaning of “data protection by design and default”.  Adequate controls to safeguard personal information must be integrated into systems and procedures from the planning stages, and in some cases will require a privacy impact assessment;
  • Understanding the legal basis for processing personal information, which means you are able to justify, in terms of the legislation, why you are processing personal information.  While this may sound like legal jargon, it is going to be an area that organisations will need to familiarise themselves with in order to comply and we will try to break this down into simple tasks.  People will have a right to this information, and it will also need to be included in privacy notices;
  • Following on from above, consent is one of the conditions for processing that you may be currently using the rules for the use of consent are changing.  Again this is likely to be a major task for some organisations.  Our blog will look at what procedures may require change and ways of integrating the obtaining of consent into existing processes that comply with the new legislation;
  • Some organisations will require a data protection officer and we will look at their role and how that should facilitate compliance.

 Key Action Points

Regardless of size, organisations need to start their preparations for the data protection legislationThere is some information available from the ICO’s data protection reform site and all organisations should start by reviewing the 12 steps for preparing for GDPR.  At the very least, organisations should be looking at their compliance with the current legislation and taking action to address gaps.  Building on the ICO’s guidance, two key tasks to get started on are to:

  • Identify what personal data you hold, where it was obtained from and who it is shared with.  As discussed above, you should also understand why you are
    holding it (the purpose), how long you need to retain it for, and ensure it can be destroyed when it is no longer required;
  • Raise awareness of the new legislation within your organisation.  Change is likely to require resources and senior management buy-in which will be supported by key people in your organisation fully understanding the risks.

As always, feedback and requests for topics are always welcome.


Liz has worked with data protection for nearly 20 years and helps organisation with managing their information as well as practical compliance with information-related legislation.

The material contained in this site and in this blog constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained in this site without first taking professional advice appropriate to their particular circumstances.

Data Protection Consultancy

Tkm Consulting is managed by Liz Taylor.  Liz has helped organisations with managing information and records management for the past 20 years.  Tkm offers a number of consultancy and training services, specialising in information-related legislation applicable across the UK.  We offer data protection compliance audits and can also provide data protection officer (DPO) as a service.


Data Protection Consultancy Services


At Tkm we offer practical help through consultancy services ideally suited to a wide range of public and private sector businesses.

Tkm provides data protection consultancy and Data Protection Officer as a service. We also offer advice and consultancy on:

  • information and records management
  • information governance including information asset registers and records of processing activities
  • for public sector organisations, help with complying with freedom of information legislation and environmental information regulations.  Tkm can also assist Scottish public authorities with public records legislation and records management plans
  • auditing data protection compliance and assessing current levels of data protection compliance

Data Protection Training

data protection training

Tkm is highly experienced in the field of data protection as well as the design and delivery of training.  Tkm is approved by a number of awarding bodies to deliver management-level qualifications in compliance, including the BCS, SQA, BIIAB and REHIS.  For our courses in data protection, see our data protection training page.

The material contained on this site and in the blogs constitutes general guidelines only and does not represent to be advice on any particular matter. No reader should act on the basis of material contained within this site without first taking professional advice appropriate to their particular circumstances.