Data Protection Officer (DPO) is one of those GDPR phrases bandied around which most people have heard in connection to the regulations, but don’t necessarily fully understand – much like Privacy by Design, data portability or Data Protection Impact Assessment.
Admittedly, at first glance, it can seem pretty daunting, especially to smaller organisations. To comply with the GDPR, organisations need to hire, or appoint from within, a person with enough experience, knowledge, and understanding to act as a data protection expert for the whole company. Creating that role, and hiring someone to fill it, isn’t going to come cheap.
Fortunately, the writers of the GDPR were aware of this and so, contrary to popular belief, not every organisation needs a DPO. In fact, many organisations don’t need to worry at all. The regulations set out three conditions, if an organisation meets at least one of them then they must appoint a DPO, these are if:
1. Your organisation is a public authority
2. Your core activities require large-scale, regular and systematic monitoring of individuals, or
3. Your core activities consist of large-scale processing of special categories of data, or data
relating to criminal convictions
Let’s break this down a bit.
First, what is a ‘public authority’? Condition 1 requires ‘public authorities’ to appoint a DPO but this term isn’t actually defined in the GDPR. However, it will be defined in the Data Protection Bill (this is the piece legislation which will bring the GDPR into UK law once we leave the EU). Though the Bill is subject to change, as it’s still being scrutinised in parliament, it is likely to contain the same definition as the Freedom of Information Act (FOIA), so if your organisation is currently considered a “public body” under FOIA – government departments, the NHS, armed forces etc. - then in all likelihood you’ll need to appoint a DPO.
Secondly, what are ‘core activities’? The last two conditions both refer to the ‘core activities’ of an organisation, by this it means the activities which are central to achieving that organisation’s aims, or business objectives. So, a golfing supply shop’s ‘core activities’ consist of trying to sell golfing equipment, for example. Any data they process for a different reason – by their HR team, say – is considered secondary.
So, condition 2 states that an organisation needs a DPO if their ‘core activities require large-scale, regular and systematic monitoring of individuals’. This would include profiling, tracking, or CCTV monitoring – but, unless this was for a ‘core activity’ it wouldn’t necessitate hiring a DPO.
Similarly with the final condition – “core activities consist of large-scale processing of special categories of data, or…criminal convictions’. The HR team of most companies will process this kind of data on a daily basis, but since it isn’t a ‘core activity’, it wouldn’t count.
Both of the final two conditions refer to ‘large scale’ processing, but what does this mean? This is a little trickier to answer since the GDPR itself doesn’t provide a definition. However, the Article 29 Working Party (an advisory body made up of data protection representatives from every EU country) does provide some guidelines on how to judge if a processing activity is considered ‘large scale’.
You should consider:
- The number of data subjects concerned,
- The volume of personal data being processed,
- The range of different data items being processed,
- The geographic extent of the activity, and
- The duration or permanence of the processing activity.
Having broken down the three criteria, it's pretty plain to see that many organisations simply don’t qualify, and therefore don’t need to appoint a DPO. That being said, a DPO actually goes a long way in demonstrating compliance with the accountability requirement of the GDPR. So, if you have the means of hiring one, it may be a good idea to do so.
Free GDPR eLearning trial
Start working towards GDPR compliance today with a free trial of our GDPR Essentials Training!