The DPO checklist

September 9th, 2021 Posted in Compliance, Data Protection

What is a DPO?

A data protection officer (“DPO”) is an independent expert who advises an organisation on its data protection and information rights responsibilities, as well as assisting with monitoring the organisation’s compliance with these obligations. A DPO can be a singular person or a third-party organisation. This DPO checklist will help you determine when you need to appoint a DPO, and what processing data on a large scale means for your business.

Under the UK’s General Data Protection Regulation (“UK GDPR”), many organisations are required to appoint a DPO. To help you understand if you need one, we’ve created the checklist below. If you’re a new business, we also have 8 Tips on Data Protection for start-ups.

Before we get to the checklist, it’s worth saying that you can still designate someone even if you are not mandated to do so by law and there are many benefits to hiring a DPO.

For example, if you don’t have to designate a DPO now but might have to in the future, due to growth or new services, then appointing a DPO early makes sense as they can help ensure data protection by design as your processing expands. Our experts are ideally placed to help you with questions such as should you outsource your DPO? Get in touch with our friendly team today.

Likewise, if you operate a consumer-facing business and process personal data, then having a DPO can help you demonstrate that you take data protection seriously and help build a relationship of trust with your consumers. If your organisation is a data processor, having a DPO can also help build confidence with the controllers on whose behalf you are processing personal data.

When do you need to appoint a DPO?

You are required by the UK GDPR to designate a DPO if:

  • you are a public authority or body (this excludes parish councils);
  • your core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
  • your core activities consist of processing special category or criminal offence data (sometimes referred to as ‘sensitive data’) on a large scale.

Businesses sometimes struggle to interpret the requirements based on the meanings of ‘core activities’, ‘regular and systematic’ and large scale. Whilst it can be frustrating that a more direct interpretation isn’t available, a principles-based approach is required to enable the law to be applied to organisations of all types and sizes. As such, organisations must consider their specific circumstances.

In addition, the meaning of ‘monitoring’ is often interpreted too narrowly in our experience.  Activities to consider when thinking about monitoring include CCTV, vehicle tracking devices, workforce tracking tools, mobile device tracking, mobile app tracking functionality, cyber security monitoring, website user monitoring, online behavioural advertising and monitoring of individuals using risk screening tools and offline data.

Remember also that both controllers and processors must designate a DPO if they meet the criteria. If you have outsourced activity to a processor that meets the requirements above, then you (as controller) and they (as a processor) will most likely have to designate a DPO. We have seen this with property development and management organisations that outsourced public area CCTV management to a third-party processor assuming that doing so meant they didn’t need a DPO. In these examples, it was clear that the developer was still the controller, even if they didn’t handle the recorded video or monitor the live feeds themselves.

What does processing personal data on a large scale mean?

This is the question we often get asked. Organisations can understand ‘core activities’ and ‘regular and systematic’ but how large is large scale? There is no direct answer because every organisation’s processing activities differ.

To determine if you are processing data on a large scale…

You should:

  • Assess the volume of personal data you process, especially the number of data subjects whose information you hold, together with the categories of data that you hold about each person. In some cases, it might be limited to names but in other cases, you might collect a lot of personal data about each person.
  • Consider the context of the processing, including the geographical locations of the personal data processing and the duration or permeance of such processing.

There is no hard and fast number for ‘large scale’ the following rule of thumb can be a helpful guide when considering your own business:

  • Processing of special category or criminal offence data: 5000 persons and above
  • Higher risk personal data processing (e.g. credit card data, profiling data, geolocation data etc): 10,000 persons and above
  • All other personal data: 50,000 persons and above.

You should not:

  • Solely consider the number of employees in your organisation or your number of customers to determine if you need a DPO. For example, if you are a start-up with three people, but you process the sensitive personal data of 7,500 data subjects, then it is likely you will still need a DPO. On the contrary, if you have more than 500 employees and 10,000 customers but process minimal personal data – such as name only and carry out no monitoring – it is unlikely you will be required by law to designate a DPO.

Do you need help deciding whether to hire a DPO?

Because companies are constantly growing and evolving, it can be difficult to know when it’s time to hire a DPO. We can help you to demystify your data protection compliance obligations and align you to the UK GDPR’s requirements. As well as this, we also offer affordable outsourced DPO services. If you want to discuss any of your data protection requirements, including whether you need a DPO, please get in touch.

If you need legal advice for your business relating to trademarks, legal strategy and budgets, business set-up and more, LegalEdge are flexible business lawyers who have all worked in-house and know how to manage your day-to-day legal requirements.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Want to learn more? Download your free Guide to GDPR Accountability.

Raymond Orife Evalian 250x250

Written by Ray Orife

Ray specialises in data protection and information rights law. He is a qualified solicitor and worked in private practice and in-house in commercial law roles before focusing on data protection. Before joining Evalian™ he was in-house counsel and Data Protection Officer for a high street financial services organisation and their associated businesses. His qualifications include a First Class Honours Degree in Law, LPC (Distinction), Practitioner Certificate in Data Protection (PC.dp) and IAPP CIPP/E.