A data protection officer (“DPO”) is an independent expert who advises an organisation on its data protection and information rights’ responsibilities, as well as assisting with monitoring the organisation’s compliance with these obligations. A DPO can be a singular person or a third-party organisation. This DPO checklist will help you determine when you need to appoint a DPO, and what processing data on a large scale means for your business.
Before we get to the checklist, it’s worth saying that you can still designate a DPO even if you are not mandated to do so by law and there are good reasons to do so.
For example, if you don’t have to designate a DPO now but might have to in the future, due to growth or new services, then appointing a DPO early makes sense as they can help ensure data protection by design as your processing expands.
Likewise, if you operate a consumer-facing business and process personal data, then having a DPO can help you demonstrate that you take data protection seriously and help build a relationship of trust with your consumers. If your organisation is a data processor, having a DPO can also help build confidence with the controllers on whose behalf you are processing personal data.
When do you need to appoint a DPO?
You are required by the UK GDPR to designate a DPO if:
- you are a public authority or body (this excludes parish councils);
- your core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- your core activities consist of processing special category or criminal offence data (sometimes referred to as ‘sensitive data’) on a large scale.
Businesses sometimes struggle to interpret the requirements based on the meanings of ‘core activities’, ‘regular and systematic’ and large scale. Whilst it can be frustrating that more direct interpretation isn’t available, a principles-based approach is required to enable the law to be applied to organisations of all types and sizes. As such, organisations must consider their specific circumstances.
In addition, the meaning of ‘monitoring’ is often interpreted too narrowly in our experience. Activities to consider when thinking about monitoring include CCTV, vehicle tracking devices, workforce tracking tools, mobile device tracking, mobile app tracking functionality, cyber security monitoring, website user monitoring, online behavioural advertising and monitoring of individuals using risk screening tools and offline data.
Remember also that both controllers and processors must designate a DPO if they meet the criteria. If you have outsourced an activity to a processor that meets the requirements above, then you (as controller) and they (as a processor) will most likely have to designate a DPO. We have seen this with property development and management organisations that outsourced public area CCTV management to a third-party processor assuming that doing so meant they didn’t need a DPO. In these examples, it was clear that the developer was still the controller, even if they didn’t handle the recorded video or monitor the live feeds themselves.
What does processing personal data on a large scale mean?
This is the question we often get asked. Organisations can understand ‘core activities’ and ‘regular and systematic’ but how large is large scale? There is no direct answer because every organisation’s processing activities differ.
To determine if you are processing data on a large scale…
- Assess the volume of personal data you process, especially the numbers of data subjects whose information you hold, together with the categories of data that you hold about each person. In some cases it might be limited to names but in other cases you might collect a lot of personal data about each person.
- Consider the context of the processing, including the geographical locations of the personal data processing and the duration or permeance of such processing.
There is no hard and fast number for ‘large scale’ the following rule of thumb can be a helpful guide when considering your own business:
- Processing of special category or criminal offence data: 5000 persons and above
- Higher risk personal data processing (e.g. credit card data, profiling data, geolocation data etc): 10,000 persons and above
- All other personal data: 50,000 persons and above.
You should not:
- Solely consider the number of employees in your organisation or your number of customers to determine if you need a DPO. For example, if you are a start-up with three people, but you process the sensitive personal data of 7,500 data subjects, then it is likely you will still need a DPO. On the contrary, if you have more than 500 employees and 10,000 customers but process minimal personal data – such as name only and carry out no monitoring – it is unlikely you will be required by law to designate a DPO.
Because companies are constantly growing and evolving, it can be difficult to know when it’s time to hire a DPO. We can help you to demystify your data protection compliance obligations and align you to the UK GDPR’s requirements. As well as this, we also offer affordable outsourced DPO services. If you want to discuss any of your data protection requirements, including whether you need a DPO, please get in touch.
If you need legal advice for your business relating to trademarks, legal strategy and budgets, business set-up and more, LegalEdge are flexible business lawyers who have all worked in-house and know how to manage your day-to-day legal requirements. You can contact them here.