Which employers are required to appoint a Data Protection Officer under the General Data Protection Regulation (GDPR)?

Under the General Data Protection Regulation (GDPR), an employer must appoint a Data Protection Officer (DPO) if:

  • it is a public body;
  • its core activities consist of large-scale data processing that requires regular and systematic monitoring of individuals; or
  • its core activities consist of large-scale processing of special categories of data (ie sensitive personal data) or personal data relating to criminal convictions and offences.

The role of the DPO is to inform and advise the employer and its employees of their obligations under the GDPR and other applicable data protection laws and to monitor the organisation's compliance. It is therefore a position that should be independent of influence from the organisation and DPOs are protected from being dismissed or penalised for carrying out their duties. The DPO must report directly to the highest management level in the organisation. The role can be contracted externally or carried out internally by a member of staff, but the DPO's other tasks and responsibilities must not conflict with his or her duties as a DPO. A group of companies or public authorities can appoint a single DPO.

The GDPR will come into effect on 25 May 2018.