When do you need a Data Protection Officer?

A Data Protection Officer (DPO) is responsible for guiding all areas of the company on handling personal data in compliance with GDPR, monitoring the company’s compliance and being a point of contact for individuals and supervisory authorities.

When do you need to appoint a DPO?

Only controllers and processors that are subject to the GDPR and that meet one of the below thresholds are required to appoint a DPO: 

  • a public authority or body
  • core activities involve regular, systematic and large-scale monitoring of individuals
  • core activities involve large-scale processing of sensitive personal data
  • required under member state law (e.g. Germany, Spain)

This explanation often raises the following questions.

What is considered large-scale processing? 

Large-scale processing can be tricky to nail down under GDPR as the regulations do not provide a specific threshold or definition. Instead, you should consider the following factors:

  • the number of individuals involved – either as a percentage of the related population or as a specific number
  • the scope of the personal data involved
  • how long the data processing activity takes, or will continue
  • the geographical extent of the processing

For example, a hospital would process sensitive health information on a large scale, but a single doctor would not.

How do we know if our processing is a core activity or not?

Suppose the processing of personal information is essential for your company to achieve its objectives. In that case, it is considered to be a core activity.  

So again, here, the processing of health data is a core activity of a hospital for it to be able to fulfil its function. Likewise, for a health insurance company, processing health and other personal data is a core activity.   

What is considered regular and systematic monitoring?  

Any form of online and offline tracking and profiling of individuals is considered regular and systematic monitoring. The ICO, the UK’s supervisory authority, provides this example: 

A large retail website uses algorithms to monitor the searches and purchases of its users, and, based on this information, it offers recommendations to them. As this takes place continuously and according to predefined criteria, it can be considered regular and systematic monitoring of individuals on a large scale.

Conclusion

Whether your company formally requires a DPO or not, the GDPR recommends having a point of contact or team to manage any data privacy concerns.

If you wish to go down this route, below are some Best Practices for a Data Privacy Nominee or Team:

  • They are tasked with monitoring compliance with GDPR and other data protection laws and critical documents like privacy policies. 
  • They are tasked with raising awareness of data protection issues, training staff and conducting internal audits. 
  • If required, they are responsible for overseeing a DPIA. 
  • They are the point of contact for any interaction with the lead supervisory authority.
  • They report to or have representation from the highest level of management and are given the required independence to perform their tasks.           
  • They have the required budget and resources to perform their tasks.
  • Other tasks assigned to them do not result in a conflict of interests with their role as a data privacy nominee.