Back
Before and post the General Data Protection Regulations (GDPR) came into effect this year, the spotlight was on obtaining ‘CONSENT’ to hold and process data. Now the flurry of re-permissioning emails has stopped infiltrating our in-boxes the finer details of how charities can achieve GDPR compliance have started to gain focus, with the spotlight on the requirements on appointing a Data Protection Officer (DPO).
Many charities have updated their privacy policies and re-permissioned their data but haven’t appointed a Data Protection Officer. The question is, does your Charity require a Data Protection Officer in order to be compliant?
When should a Data Protection Officer be appointed?
Under Article 37 of the EU GDPR there are three conditions under which a Data Protection Officer must be designated:
  • Where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity).
    Where the core activities of the controller or processor involve the processing of regular and systematic monitoring of individuals on a large scale.
  • Where the core activities of the controller or processor involve the use, on a large scale, of special categories of data or personal data relating to criminal convictions.
    The last condition, special categories of data, is not a new concept and have long been subject to additional safeguards. The special categories are listed in Article 9 of the GDPR and consist of data relating to racial or ethnic information to data concerning a person’s sexual orientation.
What are the responsibilities of a Data Protection Officer?
A general overview of a Data Protection Officer’s role is to “be responsible for all issues which relate to the protection of personal data.” 
The DPO’s tasks are defined in Article 39 as:
  • to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
  • to monitor compliance with the GDPR and other data protection laws, and with your data protection policies, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the supervisory authority; and
  • to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Who should a Charity appoint as their Data Protection Officer?
Article 37 states that the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks as stated above (Article 39).
This isn’t just a throw-away role that can be assigned to an employee that already has their everyday responsibilities to undertake and consider the charity compliant. When the role of a Data Protection Officer is not carried out to the highest level of competence then an charity risks personal legal proceedings.
Article 29 Working Party suggests a Data Protection Officer should have the following skills and experience:
  • expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR;
  • understanding of the processing operations carried out;
  • understanding of information technologies and data security;
  • knowledge of the charitable sector and the charity itself; and
  • the ability to promote a data protection culture within the charity and its network.
Although appointing a Data Protection Officer is necessary it is not always feasible, especially as the cost of an in-house DPO could cost a charity from £36,000 per annum; an overhead that could cripple a charity and the good work that's being done.
At Vox Securitas, we have developed a monthly DPO subscription service, which offers charities the support and compliance required under the GDPR without adding extra duties to your existing staff to cover or costly overheads!
  • Our team will monitor internal compliance by carrying out data flows across your business and advising and offering solutions for any issues these might raise. 
  • We also inform and advise on policies and procedures, data protection obligations, and provide advice regarding Data Protection Impact Assessments (DPIAs) if needed. 
  • If you are managing Subject Access Requests and Data Breaches we can take the stress out of this time-consuming process by offering a tailored service to manage this for you.
  • Importantly we take on the responsibility as an external independent support, which the ICO recommends, and act as a contact point for your data subjects and we are the contact person for the ICO. 
The Vox Securitas DPO Advice Service is available across the week during office hours for everyday support from our DPO team. Urgent advice is available outside of office hours to support concerns such as data breaches.
If you require more information on our Vox DPO service or wish to discuss your GDPR compliance further then please contact [email protected] or complete our contact form

No responses yet. Be the first to reply!

{{ctrlComment.postTotalComments}} responses

Load more responses
See previous comments
See new comments

Related posts

Setting up a charitable trust - where to start?

Helen Todd

Leadership & Governance

Should boards publicly share meeting minutes? (Anonymous post 🤫)

Ocean King

Leadership & Governance

What are the legal responsibilities of trustees in a CIC? (Anonymous post 🤫)

Ocean King

Leadership & Governance

Does a new CEO need to be registered as a company director on Companies House? (Anonymous post 🤫)

Ocean King

Leadership & Governance

Chair is making decisions without consulting trustees, what should we do? (Anonymous post 🤫)

Ocean King

Leadership & Governance