The Roles and Responsibilities of a Data Protection Officer

January 27, 2014
Clock Icon 2 min read

What does a Data Protection Officer do?

A Data Protection Officer (DPO) is simply a person in charge of ensuring an organisation’s compliance with the Data Protection Act 1998.

Whilst every individual who handles or processes data must comply with the law, it is a good idea to have one person who oversees the data processing to ensure that they are meeting all security obligations.

Whilst the Data Protection Officer is not a strict role, the DPOs responsibilities often include a variety of tasks.


Responsibilities of a Data Protection Officer:

  • Be the nominated officer on the Data Protection Register.
  • Develop and implement the organisation’s Data Protection Policy.
  • Create ‘best practice’ guidance for data processors, preferably in written form for future reference.
  • Train and advise staff on the provisions of the Data Protection Act.
  • Identify and monitor the data processors whilst at work, ensuring that they deal with data in a manner consistent with the 8 data protection principles.
  • Process and respond to all requests for information by data subjects.
  • Ensure data remains up-to-date and is destroyed when necessary.

If you or your business handles any sort of personal information then data protection is an incredibly important subject. The Data Protection Act 1988 was created to help businesses and individuals understand what they can and cannot do with people’s information and breaches of the legislation are criminal offences which can result in severe penalties.


Data Protection Policies

Principle 7 of the Data Protection Act states that data must be kept secure in order to prevent loss or unauthorised disclosure. All businesses handling personal data, therefore, are expected to exercise a high degree of risk management in this area.

In order to do this, you should undertake a risk assessment in your workplace that considers the risks of data falling into the wrong hands, and then outline the steps to be taken to minimise or prevent these risks. This risk assessment will be part of your organisation’s Data Protection Policy.

Your Data Protection Policy should include information such as:

  • Information on how personal data will be collected.
  • Details of how data will be kept up-to-date.
  • Details of what to do with confidential waste.
  • Information on what is expected from staff who work with personal data.
  • Details on the use of security systems, such as computer passwords and firewalls.
  • How personal data will be encrypted to be held electronically.
  • Who is a ‘trusted’ third party.
  • Procedures for what to do if personal data is lost or stolen.
  • The rules for sharing or transferring data outside of the organisation.

Further Resources:

Like This Article?
Share it on social.