A data protection officer is a person appointed by a data controller or a data processor to monitor data protection compliance. They are the first point of contact for the Information Commissioner and for individuals whose data is processed.
Whether or not you are legally obliged to appoint a data protection officer depends on the nature of your organisation. Public authorities and organisations that carry out regular monitoring of individuals or large-scale data processing must appoint a data protection officer.
The data protection officer can be an employee of the data controller or the data processor or it can be an external consultant. In either case, the data protection officer will need adequate training and active support from the highest level of management. The data protection officer must also act independently, be sufficiently informed on data protection, and be adequately resourced.
In small businesses, it is good practice to allocate responsibility to a specific individual (a data protection manager) who will coordinate the data protection policy. The data protection manager should ensure that your organisation is compliant with the GDPR requirements and embed good data protection practices.
