Do I really need a Data Protection Officer (DPO)?
The General Data Protection Regulation (GDPR) is a privacy law that protects the privacy rights of residents of the European Union.
This law grants EU residents certain rights when it comes to the collection, use and disclosure of their personal information, and requires processors and controllers of this information to:
- Honor the privacy rights afforded to consumers;
- In some cases, designate a DPO.
In this article, we will discuss who is required to designate a Data Protection Officer under the GDPR so that you can determine whether you need one as well.
Processing carried out by a public authority or body
Article 37 of GDPR first states that a Data Protection Officer must be appointed when the processing is carried out by a public authority or body, except for courts acting in their judicial capacity. GDPR does not provide us with a definition of “public authority” so you must use national law to determine whether you would be considered as such.
If we take the United Kingdom as an example, the UK Data Protection Act 2018 adopts the Freedom of Information Act 2000 and Scotland Freedom of Information Act 2002 definitions of “public authority”. Common examples of public authorities include a county council, some branches of the armed forces, or a parliament. Public authorities are usually government departments. However, the safest way to determine whether you are a public authority is to review national law for the definition.
Regular and systematic monitoring of data subjects on a large scale
You need to have a Data Protection Officer if your core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. Unfortunately, GDPR itself does not provide much guidance on the meaning of the key terms of the previous sentence, including “core activities”, “regular and systematic monitoring”, or “large scale.” Let’s unpack each of these terms individually so that you can have a better understanding of who the DPO requirement applies to.
GDPR refers to the core activities of a particular organization and how the processing of the personal information relates to those core activities. Core activities, as specified in Recital 97, are activities that relate to the primary activities of the organization and do not relate to the processing of personal information as ancillary activities. According to the Article 29 Working Party, core activities can be considered as the key operations necessary to achieve the controller’s or processor’s goals.
Let’s take an example of a company that sells paper. This company’s processing of personal information for the purpose of hiring an assistant would not be considered a “core activity” since it is ancillary to the business of selling paper. However, the same activity would be considered a “core activity” for a staffing firm since they are in business for the primary purpose of hiring people. Whether or not you are performing a core activity depends upon the business that you are in, your goals and what you are trying to accomplish so determinations need to be made on a case by case basis.
Regular and systematic monitoring
For the Data Protection Officer requirement to apply, the processing operations must consist of regular and systematic monitoring of data subjects. Unfortunately, GDPR does not define what this term means. However, Article 29 Working Party provides the following guidance on what it means for processing to be “regular”:
- Ongoing or occurring at particular intervals for a particular period;
- Recurring or repeating at fixed times; or
- Constantly or periodically taking place.
Meanwhile, “systematically” is interpreted to mean one or more of the following:
- Occurring according to a system;
- Pre-arranged, organised, or methodical;
- Taking place as part of a general plan for data collection; or
- Carried out as part of a strategy.
Common examples of this type of monitoring include email retargeting, location tracking, fraud prevention or behavioral advertising. Again, whether you are performing these types of activities depends on your specific data processing practices, meaning that you need to have a good understanding of how you use personal information in your business activities. A good tool that can be used to determine whether you are performing regular and systematic monitoring is a data flow map and a data inventory.
Processing on a large scale
GDPR itself does not provide any information on what is meant by “a large scale.” In fact, the Article 29 Working Party states that it is really not possible to state a specific number that would qualify processing automatically as “large scale.” However, you should consider the following factors when trying to determine if you qualify:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population;
- The volume of data and/or the range of different data items being processed;
- The duration, or permanence of the data processing activity; and
- The geographical extent of the processing activity.
Large scale processing is usually undertaken by larger entities such as hospitals, restaurant chains, search engines or Internet service providers.
If you are regularly and systematically processing the personal information of data subjects on a large scale as part of your core activities, you need to appoint a Data Protection Officer for your organization.
Processing special categories of data or criminal conviction and offense data
GDPR also requires you to appoint a Data Protection Officer if you are processing, on a large scale, the special categories of data specified in Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.
Article 9 states that the following data is included in the “special categories”: personal data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
If you are collecting any of the data mentioned above, or personal data relating to criminal convictions and offenses, you need to appoint a Data Protection Officer as this type of data is very sensitive and warrants additional protections.
If you are a public authority, are performing regular and systematic monitoring of data subjects on a large scale or processing special categories of data or criminal conviction and offense data, you will need to designate a Data Protection Officer. Failure to designate a DPO when you are required to can lead to investigations by Data Protection Authorities and even fines for GDPR non-compliance.