Since GDPR came into force, there is now an legal definition for a Data Protection Officer (DPO).
Some organisations are required to have a DPO because of their size or the personal information that they are processing, whereas other do not need one.
Under GDPR you must appoint a DPO if
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
These requirements apply regardless of whether you are a data processor or a data controller. You can choose to appoint a DPO voluntarily even if you do not meet the requirements, although you will need to meet the requirements for the role.
So what is “large scale processing”?
This is not defined in GDPR but there are some helpful guidance notes from the Article 29 working party which you can find here.
The guidance on large scale processing suggests it:-
- involves wide range or a large amount of personal information;
- takes place over a large geographical area;
- affects a large number of people; or
- is extensive or has long-lasting effects.
An example of large scale processing would be the patients of a hospital. Small scale processing would be the patients of an individual doctor.
Even if your organisation does not need a DPO, you have to ensure that your organisation is sufficiently staffed and resourced to meet your obligations under the legal requirements.
If you have a member of staff who is responsible for data protection issues, then please remember that the title Data Protection Officer has a legal standing. You might want to call them the Data Protection Champion, Data Protection Adviser or Data Protection Manager.
If you are unsure whether you need to appoint a Data Protection Officer or not, please contact us. We’ll be happy to talk it through with you.