Help! I have data that falls under GDPR, do I have to appoint a DPO?

The new European Union the General Data Protection Regulation (GDPR) has been widely publicized. There are many questions surrounding GDPR and frankly many misunderstandings. One that we hear quite often is when an organization falls under the GDPR,  you must appoint a Data Protection Officer (DPO). Is this true?

Let’s first define the Data Protection Officer role under GDPR.  Article 37(5) of the GDPR states “The DPO, who can be a staff member or contractor, shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39”

The DPO tasks are defined as :

• Informing and advising the controller or the processor and their employees of their data protection obligations.
• Monitoring compliance with the GDPR, including the assignment of responsibilities.
• Awareness raising and training of staff.
• Providing advice where requested as regards the Data Protection Impact Assessments (DPIAs) and monitoring compliance and performance.
• Engaging with the Information Commissioner’s Office or relevant Supervisory Authority.

The Regulation also stipulates that the DPO reports directly to top level management and must be given all resources necessary to carry out their functions.

It’s clearly a substantial role – but how do you need to appoint one?

There are 3 scenarios explained where you need a DPO

1. The processing is carried out by a ‘public authority’.
2. The ‘core activities’ require regular and systematic monitoring of data subjects on a ‘large scale’.
3. Where ‘core activities’ involve ‘large scale’ processing of ‘special categories’ of personal data and relating to criminal convictions and offenses.

For each of these scenarios there is still some room for interpretation.  The term ‘public authority’ is not defined. The second scenario has no definition of ‘large scale’. ‘Special categories’ include ethnic origin, political opinions, religious beliefs and health data, and apply to (among others) polling companies, trade unions and healthcare providers storing patient records.

It is best to do an assessment of the activities and type of organization you are in to determine if you would require a DPO under any of these scenarios.

When do I not need to appoint a DPO?

The GDPR does not require every controller or processor to appoint a DPO. A private body or organization, for example, does not have to appoint one if:

• Its main activities only seldom involve monitoring data subjects and with little infringement on those data subjects’ rights.
• It does not process special category personal information at all.
• It is only processing the special category personal information of a small group of data subjects.

However, the guidelines of the Article 29 recommend that, unless it is obvious organizations that don’t need to appoint a DPO, they should keep records of their decision making process. The guidance is that you probably should consider appointing one even if not required if you do a lot of business in the EU.

As you can see from this one small aspect of GDPR, there are many nuances that justify the need for an assessment to determine if you do have to take actions to comply, or if you do not and how you can validate your status.