Appointing a Data Protection Officer should ensure employment practices are
in line with the Data Protection Act, and that audits are performed to identify
It’s the job you love to hate. Data protection compliance is laborious and,
rather like domestic chores, the consequences can be unsavoury if you let it
slide. But don’t despair. A data protection officer (DPO) is the office
equivalent of Mr Muscle, and potentially, the answer to all your problems.
Why you really need a DPO
Although there is no express requirement under the Data Protection Act 1998
to appoint a DPO, you should seriously consider doing so. Appointing a DPO
ensures a co-ordinated approach to a compliance area rife with pitfalls.
In addition, the new Employment Practices Data Protection Code recommends
that organisations should "establish a person within the organisation
responsible for ensuring employment practices and procedures comply with the
Act and for ensuring they continue to do so".
Although the code is not enforceable, it provides the benchmarks set by the
Information Commissioner to assist employers with data compliance.
Who draws the short straw?
In small businesses, data protection compliance is likely to lie with the
business owner. In larger ones, responsibility should be allocated to a senior
HR manager or someone in a comparable position. The DPO should be sufficiently
senior to enforce a uniform approach to compliance.
The main tasks of a DPO
A DPO needs to be familiar with the Act and associated codes of practice.
Keeping up-to-date with any changes to the law is a must. But the Act goes
further than most other legislation – compliance is based on adherence to a set
of broadly drafted principles.
Having grasped the legislation, the DPO needs to audit the personal data
held in his firm – recording different types of data, how it is held and
processed, and so forth. This will reveal where work needs to be done.
Next, the DPO must eliminate areas of non-compliance identified through the
audit. Key considerations should include:
– Checking the processing of personal and sensitive data satisfies the
conditions in the Act
– Informing workers and customers of your firm’s role as a ‘data controller’
and the purpose of processing their data
– Eliminating unnecessary data processing
– Ensuring data is only processed for the purposes for which it was obtained
– Monitoring retention periods so that data is kept for no longer than
– Making sure the data security is appropriate for the sensitivity of the
– Checking that data transfers outside the European Economic Act satisfy the
relevant conditions in the Act
– Establishing appropriate contractual arrangements with third-party data
– Co-ordinating subject access requests and other queries relating to data
– Monitoring and, where necessary, updating the organisation’s current
notification of processing particulars held by the Information Commissioner
The DPO needs to maintain a consistent level of compliance.
An education and training programme can be invaluable for briefing
departmental heads and line managers, as well as workers about their respective
obligations under the Act.
All employees should be made aware that infringing data protection
procedures is a disciplinary offence.
A final word of caution – you can’t pass the buck. Liability under the Act
will normally rest with the employer.
By Mark Mansell, Head of employment law group, Allen & Overy