How to Demonstrate Compliance With GDPR Article 37

Designation of the Data Protection Officer

Book a demo

group,of,happy,coworkers,discussing,in,conference,room

Data Protection Officers are a fundamental component of any organisations broader cyber security operation.

GDPR Article 37 emphasises the importance of the role, and offers guidance on how a DPO should be appointed, the core activities of the role, and how such appointments are communicated.

GDPR Article 37 Legal Text

EU GDPR Version

Designation of the Data Protection Officer

  1. The controller and the processor shall designate a data protection officer in any case where:
    • (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
    • (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
    • (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

  2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
  3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
  4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
  5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
  6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
  7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

UK GDPR Version

Designation of the Data Protection Officer

  1. The controller and the processor shall designate a data protection officer in any case where:
    • (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
    • (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
    • (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
  2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.
  3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.
  4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.
  5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
  6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.
  7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the Commissioner.

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

GDPR Article 37 outlines 7 key areas that organisations need to take into consideration when appointing and managing the activities of a Data Protection Officer:

  1. The underlying obligation to appoint a Data Protection Officer.
  2. The right to appoint a DPO for large group undertakings.
  3. The ability for groups of organisations to appoint a single DPO that caters to their shared obligations and organisational structure.
  4. Special circumstances that lend themselves to the appointment of a DPO (an intermediary between organisations and governing authorities).
  5. The expertise of the DPO, including any relevant legal and operational experience.
  6. Contracting DPO duties, rather than appointing one internally.
  7. Making a DPOs contact details available to whomever it is that requires them, and is legally allowed to acquire them.

ISO 27701 Clause 6.3.1.1 (Information Security Roles and Responsibilities) and EU GDPR Article 37

In this section we talk about GDPR Articles 37 (1)(a), 37 (1)(b), 37 (1)(c), 37 (2), 37 (3), 37 (4), 37 (5), 37 (6), 37(7)

Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.

Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, and should be offered continual support that maintains an acceptable level of competency.

Areas of responsibility should include:

  • The protection of PII and any privacy-related assets.
  • Executing privacy protection procedures.
  • PII-related risk management activities, including remedial actions.
  • Anyone who uses the organisations information and data, including the use of ICT assets.
  • Individuals with top-level responsibility for privacy protection delegating tasks to others.

ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.

All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.

Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 Clause 7.3.2).

In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.

Supporting ISO 27701 Clauses

  • ISO 27701 7.3.2

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 37 (1)(a) to 37 (7)ISO 27701 6.3.1.1ISO 27701 7.3.2

How ISMS.online Helps

Your complete GDPR solution.

Our pre-built environment fits seamlessly into your management system and enables you to describe and demonstrate your approach to protecting your European and UK customer data.

With ISMS.online, you can easily demonstrate a level of privacy protection that goes beyond ‘reasonable’, all in one secure, always-on location.

Find out more by booking a demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Streamline your workflow with our new Jira integration! Learn more here.