A data protection officer or DPO is an independent expert who advises an organisation on its data protection and information rights’ responsibilities, as well as assisting with monitoring the organisation’s compliance with these obligations.
However, because companies are constantly growing and evolving, it can be difficult to know when it’s time to hire a DPO. We’ve pulled together some frequently asked questions below around the DPO service to help you understand your responsibilities and hopefully ease any DPO confusion.
When do you need to appoint a DPO?
You are required by the UK GDPR to designate a DPO if:
- your core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
- your core activities consist of processing special category or criminal offence data (sometimes referred to as ‘sensitive data’) on a large scale; or
- you are a public authority or body (this excludes parish councils).
Who can be a DPO?
Organisations can choose whether to appoint an internal or external DPO and they can be a person or a third-party organisation. DPOs must have a strong understanding of data protection law and regulatory requirements. They also need good communication skills, as they’ll be working with the business’ staff and management, as well as with the data protection authorities. You don’t need a formal qualification to become a DPO.
What does ‘monitoring’ data subjects mean?
The meaning of ‘monitoring’ is often interpreted too narrowly. Activities to consider when thinking about monitoring include CCTV, vehicle tracking devices, workforce tracking tools, mobile device tracking, mobile app tracking functionality, cyber security monitoring, website user monitoring, online behavioural advertising and monitoring of individuals using risk screening tools and offline data.
How do we know if we’re processing personal data on a ‘large scale’?
This is the question we often get asked – how large is large scale? There is no direct answer, because every business’ processing activities differ.
To determine if you are processing data on a large scale…
You should:
- Assess the volume of personal data you process, especially the numbers of data subjects whose information you hold, together with the categories of data that you hold about each person. In some cases, it might be limited to names but in other cases you might collect a lot of personal data about each person.
- Consider the context of the processing, including the geographical locations of the personal data processing and the duration or permeance of such processing.
There is no hard and fast number for ‘large scale’; however, the following rule of thumb can be a helpful guide when considering your own business:
- Processing of special category or criminal offence data: 5000 persons and above
- Higher risk personal data processing (e.g. credit card data, profiling data, geolocation data etc): 10,000 persons and above
- All other personal data: 50,000 persons and above.
You should not:
- Solely consider the number of employees in your organisation or your number of customers to determine if you need a DPO. For example, if you are a start-up with three people, but you process the sensitive personal data of 7,500 data subjects, then it is likely you will still need a DPO. On the contrary, if you have more than 500 employees and 10,000 customers but process minimal personal data – such as name only and carry out no monitoring – it is unlikely you will be required by law to designate a DPO.
Does it matter if we’re the data controller or the data processor?
Both controllers and processers must designate a DPO if they meet the criteria. If you have outsourced an activity to a processor that meets the requirements above, then you (as controller) and they (as processor) will most likely have to designate a DPO. We have seen this with property development and management organisations who outsourced public area CCTV management to a third-party processor assuming that doing so meant they didn’t need a DPO. In these examples, it was clear that the developer was still the controller, even if they didn’t handle the recorded video or monitor the live feeds themselves.
Are there benefits to having a DPO even if we don’t have to officially appoint one?
You can still designate a DPO even if you are not mandated to do so by law and there are good reasons to do so. For example, if you don’t have to designate a DPO now but might have to in the future, due to growth or new services, then appointing a DPO early makes sense as they can help ensure data protection by design as your processing expands.
Likewise, if you operate a consumer facing business and process personal data, then having a DPO can help you demonstrate that you take data protection seriously and help build a relationship of trust with your consumers. If your organisation is a data processor, having a DPO can also help build confidence with the controllers on whose behalf you are processing personal data.
It’s very common for businesses to interpret the requirements of a DPO based on the meanings of ‘core activities’, ‘regular and systematic’ and ‘large scale’. Whilst it can be frustrating that more direct interpretation isn’t available, a principles-based approach is required to enable the law to be applied to businesses of all types and sizes. As such, businesses must consider their specific circumstances. Evalian, a leading data protection and security services consultancy, can help to demystify your data protection compliance obligations and align you to the UK GDPR’s requirements. They also offer affordable outsourced DPO services.
If you want to discuss any of your data protection requirements, including whether you need a DPO, please get in touch.