With the arrival of GDPR regulation, any organization processing personal needs to appoint a Data Protection Office.
GDPR regulation states that you must appoint a Data Protection Officer (DPO) if:
- You are a public authority or body (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Can other tasks be assigned to the DPO?
There are cases where organizations would appoint an individual who is already part of the business, as finding a DPO would not have been that easy… Therefore, it makes sense to ask the question of whether or not the appointed individual can continue to carry out other activities within the organization along with its new role of Data Protection Officer.
Under article 30 of GDPR regulation, the DPO cannot hold a position within your organization that leads him/her to determine the purposes and the means of the processing of personal data.
Also, the DPO shouldn’t be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.
A Data Protection Office is therefore allowed to manage a team or carry other activities within the same organization as long as there are no conflicts of interest with his DPO position.
Source: https://www.ico.org.uk