For GDPR compliance, generally, most larger organisations will need a Data Protection Officer (DPO), and most smaller ones won’t. Here’s the detail:
A DPO is mandatory in the following three cases (GDPR Article 37(1) ):
- The controller or processor is a Public Authority or Body, or acting as one
- The core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data (i.e. highly sensitive, such as political affiliation or sexual preference) or personal data relating to criminal convictions and offences
According to WP29, “Core Activities” can be considered as “the key operations necessary to achieve the controller’s or processor’s goals.” i.e. The data processing is at the heart of the organisation’s ability to operate, e.g. a hospital, or private security firm.
“Large Scale” is a woolly term and up to the data controller/processor to determine whether it applies to them, based on factors such as quantity of subjects, records, geography and duration of activity. Examples of large scale monitoring are hospitals, search engines, insurance company customer data. Examples that do not constitute large scale monitoring are the processing of data by an individual doctor or accountant, or the processing of personal data relating to criminal convictions and offences by an individual lawyer.
You can summarise these as:
- Government services, e.g a council authority. Note, WP29 recommends private companies providing similar public functions do nominate a DPO, e.g. a Housing Association, council, water supplier, energy supplier.
- Data is at the core of the organisation, and at a large scale, e.g. a bank, a web analytics company or a hospital
- Handlers of highly sensitive data
So if your organisation is one of the above, nominate a DPO.
A DPO may also be mandatory under a country’s state laws and other compliance regimes.
If an organisation is not mandated to assign a DPO, but does voluntarily, then the requirements of the DPO are the same as if the role was required.
For organisations that decide they do not require a DPO, WP29 recommends an internal analysis of this decision is carried out and documented to demonstrate all the relevant factors have been taken into account properly.