Under the General Data Protection Regulation (GDPR), you must appoint a Data Protection Officer (DPO) if you:
- are a public authority
- your core activities include large scale regular and systematic monitoring of individuals and special categories of data (which includes information relating to an individual’s health).
Digital Social Care advise that large social care providers are likely to need to appoint a DPO as part of their journey towards compliance. A large care organisation could be characterised as multisite (perhaps on a regional or national level) with dedicated staff in roles such as IT, HR and estates that they have large volumes of care records.
The DPOs responsibilities include audits and notifying the supervisory authorities if there is a breach and for advising the organisation about data protection laws and monitoring compliance.
The DPO should have expert knowledge of data protection law and practices, and understand the organisation’s business, and be independent, i.e. they can’t receive instructions on how to carry out their tasks relating to data processing.
Additionally, the DPO cannot be the individual who decides the means and purposes of processing data in your organisation. For example, a registered manager plans to bring in a new rota system which would include staff personal details; they couldn’t also be the DPO because the decision-making process might conflict with data protection obligations.
To clarify:
- having a Data Security and Protection Lead is not the same as a having a DPO
- there are specific requirements for the DPO which are set out in law
Download ‘The role of the data protection officer’ guide