Jersey firms:- If you don’t have a DPO, do you have a Data Protection Lead (DPL)?

While not every organisation must have a Data Protection Officer (DPO), a DPL is essential, especially for those processing significant volumes of personal data or handling sensitive information (see below for the differences in duties).

In Jersey, a Data Protection Lead (DPL) is a role within an organisation responsible for overseeing data protection practices and ensuring compliance with data protection laws.

The DPL helps embed data protection principles throughout the business, ensuring that personal data is handled under the Data Protection (Jersey) Law 2018.

Duties include tasks such as:

• Advising on data protection obligations.
• Monitoring compliance with data protection laws and internal policies.
• Conducting data protection impact assessments.
• Training staff on data protection practices.
• Liaising with the Jersey Office of the Information Commissioner on data protection matters

The roles of a Data Protection Officer (DPO) and a Data Protection Lead (DPL) share similarities but also have distinct differences, particularly in scope and regulatory requirements.

1. Regulatory Requirement: Under the Jersey data protection laws [JDPL], specific organisations must appoint a DPO. This includes public authorities, organisations that engage in large-scale systematic monitoring, or those processing large amounts of sensitive personal data.
2. Responsibilities:
• Monitoring Compliance: Ensuring the organisation complies with JDPL and other data protection laws.
• Advisory Role: Advising on data protection impact assessments (DPIAs) and other compliance-related matters.
• Training and Awareness: Conducting staff training involved in data processing.
• Liaison: Acting as a point of contact for data subjects and supervisory authorities.
3. Independence: The DPO must operate independently and report directly to the highest management.

Data Protection Lead (DPL)

1. Flexibility: Unlike the DPO, the role of a DPL is not a statutory requirement but can be appointed by organisations to oversee data protection practices, especially if they do not meet the criteria for a mandatory DPO
2. Responsibilities:
• Implementation: Embedding data protection principles within the organisation.
• Compliance Monitoring: Similar to a DPO, but often with a more hands-on approach in smaller organisations.
• Support Role: Assisting with data protection impact assessments and ensuring policies are followed.
• Scope: The DPL’s role can be more flexible and tailored to the organisation's specific needs, often focusing on practical implementation rather than regulatory compliance

In summary, while both roles aim to ensure data protection compliance, the DPO is a more formal, regulatory-driven role with specific legal requirements. In contrast, the DPL is a more flexible role that can be adapted to the organisation’s needs.

If you want to know more about Comsure data lead services, contact Mathew or Adam at yes@comsuregroup.com or T (Jersey) +44 1534 733-588  or +44 7797 747-490

Source:  

• https://www.jerseyoic.org/toolkits/medium-organisation/data-protection-lead-or-officer/
• Data Controller vs Data Protection Officer: Main Differences. https://www.captaincompliance.com/education/data-controller-vs-data-protection-officer/.
• Who is a Data Protection Officer [Role and responsibilities]? https://dataprivacymanager.net/who-is-a-data-protection-officer-roles-and-responsibilites/.
• Leadership and oversight | ICO - Information Commissioner's Office (ICO). https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/leadership-and-oversight/.