Does my company need a DPO

Does my company need a DPO?

GDPR mandates that specific types of organisations assign a formal Data Protection Officer.

At a high level, this is an obligation for:

  • Public organisations
  • Private organisations whose core activities process a large scale of personal data.

The definition of “large scale” creates a challenge, even though some guidance has been provided, which suggests it includes processing of:

  • Patient data in the regular course of business by a hospital
  • Profiles individuals in a small head-hunting
  • Travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
  • Real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
  • Customer data in the regular course of business by an insurance company or a bank
  • Personal data for behavioural advertising by a search engine
  • Content, traffic or location data by telephone or internet service providers
  • Peoples use of a shopping centres or public space, being monitored by a security company

Data protection authorities have also provided examples that do not constitute large-scale processing, which includes processing of:

  • Patient data by an individual physician
  • Personal data relating to criminal convictions and offences by an individual lawyer
  • Personal data of your clients in a small law firm

Even if not mandatory, some companies may still choose to nominate a Data Protection Officer. However, terms such as Data Protection Manager or Privacy Manager are often used, so that the individual is not subject to the legal obligations and exclusions.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top