Does my company need a DPO?
GDPR mandates that specific types of organisations assign a formal Data Protection Officer.
At a high level, this is an obligation for:
- Public organisations
- Private organisations whose core activities process a large scale of personal data.
The definition of “large scale” creates a challenge, even though some guidance has been provided, which suggests it includes processing of:
- Patient data in the regular course of business by a hospital
- Profiles individuals in a small head-hunting
- Travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- Real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- Customer data in the regular course of business by an insurance company or a bank
- Personal data for behavioural advertising by a search engine
- Content, traffic or location data by telephone or internet service providers
- Peoples use of a shopping centres or public space, being monitored by a security company
Data protection authorities have also provided examples that do not constitute large-scale processing, which includes processing of:
- Patient data by an individual physician
- Personal data relating to criminal convictions and offences by an individual lawyer
- Personal data of your clients in a small law firm
Even if not mandatory, some companies may still choose to nominate a Data Protection Officer. However, terms such as Data Protection Manager or Privacy Manager are often used, so that the individual is not subject to the legal obligations and exclusions.