Latest insights from our experts

Dan Griffin

Posted 23 January 2018
by Dan Griffin

GDPR – Do you Need a Data Protection Officer?



The General Data Protection Regulation has introduced a mandatory requirement for all other organisations to consider whether they need to appoint a data protection officer. The purpose of this short insight is to provide some idea of whether organisations need to appoint one.

An earlier draft of the GDPR suggested there may be an exemption for small businesses but the ICO have been clear that there is no exemption. Every organisation which processes personal data needs to consider whether a DPO is required based on the nature and scale of their activities. This includes will include charities and not for profits.

According to Information Commissioner’s Office (ICO), under the GDPR you must appoint a data protection officer if you:

  • as part of your core activities carry out large scale, regular systematic monitoring of individuals (for example interest based advertising or online behaviour tracking); or
  • as part of your core activities carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

What does this mean?

This leaves most asking, what are core activities? What does large scale, systematic monitoring mean? What does large scale processing mean? What are the special categories? The GDPR text is unhelpfully silent.

The best information we have so far is from the EU’s own Working Party 29, set up to provide guidance on implementing the GDPR which says the following:

  • Core activities. These are the key operations taken to achieve the organisations objectives as separate from functions ancillary to those objective. For example in the case of a law firm, the core activity is giving legal advice which might not involve large scale systematic monitoring or processing of personal data. The back office IT functions like maintaining client records might but these are not part of the organisation’s core activities and so do not invoke the requirement for a data protection officer.
  • Large scale. There are no defined limits and is will depend on the numbers of people, volume of data, duration and geographical location. The example is given of a hospital processing patients’ data which will be large scale as opposed to patient data held by a single doctor.
  • Regular, systematic monitoring. Again there are no defined limits but any organisation which tracks individuals online through use of cookies may be required to appoint a Data Protection Officer. Examples are said to include behavioural advertising, mobile apps, data driven marketing and location tracking. All of these are regularly carried out by almost any online businesses as a core part of their operations.
  • Special categories of data. This is broadly the same as sensitive personal data under the Data Protection Act 1998 and includes data deemed more sensitive and therefore warranting greater protection. It includes data identifying matters such as race, ethnic origin, politics, religion, health or sexual orientation amongst others.

Some of the businesses which are most likely to require a data protection officer include:

  • Healthcare providers
  • Insurers
  • Financial services providers
  • Direct marketers
  • Online advertisers
  • Travel agents

The best advice for organisations is to document your decision making process. Whether or not an organisation eventually decides it needs a data protection officer, it must document its decision making process so that this can be made available to the regulator should they ask.

Make a checklist of factors based on the ICO and Working Party 29 guidance and demonstrate these have been considered by identifying what the organisations core activities are and then comparing them against the GDPR’s requirements

If you need any advice regarding this matter, then please do not hesitate to speak with one of our Intellectual Property and IT solicitors on 01392 207 020 or email ip@tozers.co.uk.

Want to know more?

Request a call back or ask us a question using our quick-contact form.
Alternatively you can call us on 01392 207020.

About the author

Dan Griffin

Dan Griffin

Associate and Solicitor

Associate within commercial litigation