Memo to the board making recommendations in relation to appointing a DPO

The following Risk & Compliance precedent provides comprehensive and up to date legal information covering:

  • Memo to the board making recommendations in relation to appointing a DPO

Memo to the board making recommendations in relation to appointing a DPO

Date: [insert date]

Introduction

One of the key requirements of the UK General Data Protection Regulation (UK GDPR) is for certain organisations to appoint a designated individual to be the Data Protection Officer (DPO). I have reviewed the requirements in the light of [insert name of organisation]’s activities and this note sets out my conclusions and recommendations and the factors I have taken into account in reaching them.

A brief summary of the UK GDPR requirements relating to DPOs is attached.

Factors relevant to [insert name of organisation]’s appointment of a DPO

Core activities: [describe the core activities of the organisation, ie the organisation’s primary activities rather than ancillary activities that may involve processing data. Consider, eg whether the organisation is a private entity carrying out a public function in any areas of its work]

Controller or processor: [describe whether the organisation is a controller or a processor in respect of the above core activities]

Categories of data processed: [describe the nature of the data processed by the organisation, eg is it special category data, criminal records, employee data only, consumer data or other sensitive types of data?]

Type of processing: [describe the types of processing carried out by the organisation, eg does the processing involve systematic monitoring, profiling, receipt from or transfer of data to third parties? Are any transfers

Related documents:

Popular documents