A law firm which offers more

Call us: 0113 246 0622

GDPR FAQs - Should organisations nominate somebody to have responsibility for GDPR, even if a formal data protection officer is not required?


In the fifth instalment of our GDPR FAQS mini blog series, we begin to consider regulatory concerns that are frequently raised by organisations. In this blog we will discuss whether organisations should nominate somebody to have responsibility for GDPR, even if a formal data protection officer is not required.

Our frequently given response:

A formal data protection officer must be appointed by the following organisations:

If your organisation doesn’t fall into the categories listed above it is still worth considering appointing a “privacy officer” or similar, or nominating a person within your organisation to have responsibility for data protection and GDPR compliance and queries.

By ensuring your organisation has a point of contact for data protection, you increase the likelihood that subject access requests received by your employees will be forwarded to that point of contact to be dealt with and that breaches committed by employees will be notified to the appropriate person so that, if necessary, the ICO can be notified within the new timescales.

Failure to nominate somebody as your organisation’s internal point of contact could make it more difficult for your organisation to achieve GDPR compliance and understand whether breaches are arising and if so, why and how to prevent them.

If you are unsure whether your organisation requires a data protection officer and would like to discuss in more detail, please contact Matthew Hattersley or Florence Maxwell.

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.