GDPR in focus: Does my company need to assign a Data Protection Officer?
Under the new regulations, some organisations will be required to assign a Data Protection Officer. They will take on the responsibilities of ensuring compliance with the GDPR and providing the company with advice about matters surrounding data privacy.
For companies required to allocate an officer, they will need to notify the Information Commissioners Office (ICO) and make their identity publicly known. It’s this identification that is key to GDPR compliance, as many businesses will need to replace overarching department names or email addresses on their Data Privacy Policies with an individual point of contact.
But, irrespective of whether you are obligated to appoint a DPO, organisations are required to have sufficient skills and staff to comply with the requirements of the GDPR. So, while not every business is required to have an official DPO, it’s good practice to have a designated person in your team to take responsibility for data protection. This should help ensure that processes comply with the new regulations and guard against oversights or accidental infringements.
So, how do you know whether your business is legally required to assign a DPO?
Identification of an officer is mandatory for:
- Any public body that processes personal data
- Organisations whose core activities require the regular and systematic monitoring of personal data on a large scale
- Companies whose main operations involve the processing of special categories of data on a large scale. This includes information about race, ethnic origin, sexual orientation, religious beliefs, philosophical beliefs, political views and biometric data (e.g. DNA, fingerprints, photographic images) to name a few.
It’s reasonable to assume that most organisations will know if they are a public body, and most that are will process personal data in some capacity. So, this almost guarantees the need for a government agency to appoint a DPO, for example. For every other type of organisation though, the conditions are a little harder to decipher.
What counts as ‘large scale’?
Defined by relative size rather than a specific number, ‘large scale’ can be a tricky term to decipher.
While initial versions of the GDPR ruled that only big businesses would need to designate a DPO, alterations since then mean that smaller companies are also obligated to do so. Ultimately, the scale is based on how many individuals, and their personal data security, one person in the organisation can thoroughly consider.
How do you define systematic and regular monitoring?
Other examples of systematic and regular monitoring have been identified by the Working Party (WP29), who are pushing for clearer thresholds within the regulations. The following scenarios would require the company to designate a DPO, for instance:
- Tracking individuals’ travel data, using a transport system
- Monitoring ‘real-time’ customer data for statistical purposes
- Processing customer data in the regular course of business
- Profiling personal data for behavioural advertising
- Gathering content, traffic or location data.
Profiling and monitoring
Given the prevalence of machine learning and behavioural tracking, profiling and monitoring activities are also important considerations. Such tools are often used within e-commerce sites for direct marketing purposes – suggesting what you may like to see, or providing you with tailored emails and exclusive offers.
Under Article 4 of the GDPR, data processing may be characterised as profiling when it:
- Involves the automated processing of personal data
- Uses that personal data to evaluate aspects relating to that person. This includes analysing or predicting the individual’s economic situation, health, personal preferences, behaviour, locations and movements or interests.
Failure to comply
In the event that the supervisory authority finds that a an organisation should have appointed a DPO but didn’t, the potential penalty is either 2% of last year’s global turnover or €10m – whichever is higher.
So, with such severe punishments for those who fail to comply with the new regulations, it’s crucial that companies carefully consider whether they need a DPO, and thoroughly document this thought process along with the reasons for the outcome.
Clearly, a periodic review of whether a DPO is needed should form an essential part of any company’s compliance with the GDPR process – even if one wasn’t required initially, a slight change in how the business processes data could result in a breach of the regulations.
It’s important to note that the DPO role does not need to be assigned to a full-time employee of the organisation, but they must be independent of any of the processing/controlling activities. If you need help with this, contact us to find out about the Virtual DPO service we offer.