Not everyone is required to have a formal DPO, but if organisations process personal data they are still required to do this lawfully even if they don't have someone skilled in data protection.
The DPA 2018 and UK GDPR defines the minimum responsibilities that a DPO should have, although the role can be much wider. Typically you can expect the role to cover the following:
- Training and awareness on DPA 2018 and UK GDPR compliance
- Conducting data protection impact assessments
- Monitor UK GDPR compliance and conduct audits
- Be the point of contact with the relevant supervisory authority (ICO)
- Maintain records of data processing activities (although the requirement for these may disappear under the DP & DI Bill 2023 unless the processing is high risk)
- Respond to data subject access requests
- Provide advice to the organisation
- Respond to internal data protection questions
- Assist in privacy by design and privacy by default when new initiatives are being considered
If that all presents as something you need help with the Data Protection Lady can offer DPaaS to the level that meets your requirements.
