Can the DPO be asked to be responsible for carrying out core data protection duties or tasks for a Practice?


The DPO’s role is NOT to carry out any of the core data protection activities for a Practice and it would put the DPO in a position of conflict if they were asked to do so.

The ICO states clearly

“The GDPR says that you can assign further tasks and duties, so long as they don’t result in a conflict of interests with the DPO’s primary tasks.  Basically this means the DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data.”

“The DPO isn’t personally liable for data protection compliance. As the controller or processor it remains your responsibility to comply with the GDPR.”