Latest insights from our experts
GDPR – Do you Need a Data Protection Officer?
The General Data Protection Regulation has introduced a mandatory requirement for all other organisations to consider whether they need to appoint a data protection officer. The purpose of this short insight is to provide some idea of whether organisations need to appoint one.
An earlier draft of the GDPR suggested there may be an exemption for small businesses but the ICO have been clear that there is no exemption. Every organisation which processes personal data needs to consider whether a DPO is required based on the nature and scale of their activities. This includes will include charities and not for profits.
According to Information Commissioner’s Office (ICO), under the GDPR you must appoint a data protection officer if you:
- as part of your core activities carry out large scale, regular systematic monitoring of individuals (for example interest based advertising or online behaviour tracking); or
- as part of your core activities carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
What does this mean?
This leaves most asking, what are core activities? What does large scale, systematic monitoring mean? What does large scale processing mean? What are the special categories? The GDPR text is unhelpfully silent.
The best information we have so far is from the EU’s own Working Party 29, set up to provide guidance on implementing the GDPR which says the following:
- Core activities. These are the key operations taken to achieve the organisations objectives as separate from functions ancillary to those objective. For example in the case of a law firm, the core activity is giving legal advice which might not involve large scale systematic monitoring or processing of personal data. The back office IT functions like maintaining client records might but these are not part of the organisation’s core activities and so do not invoke the requirement for a data protection officer.
- Large scale. There are no defined limits and is will depend on the numbers of people, volume of data, duration and geographical location. The example is given of a hospital processing patients’ data which will be large scale as opposed to patient data held by a single doctor.
- Special categories of data. This is broadly the same as sensitive personal data under the Data Protection Act 1998 and includes data deemed more sensitive and therefore warranting greater protection. It includes data identifying matters such as race, ethnic origin, politics, religion, health or sexual orientation amongst others.
Some of the businesses which are most likely to require a data protection officer include:
- Healthcare providers
- Financial services providers
- Direct marketers
- Online advertisers
- Travel agents
The best advice for organisations is to document your decision making process. Whether or not an organisation eventually decides it needs a data protection officer, it must document its decision making process so that this can be made available to the regulator should they ask.
Make a checklist of factors based on the ICO and Working Party 29 guidance and demonstrate these have been considered by identifying what the organisations core activities are and then comparing them against the GDPR’s requirements