The term ‘large scale’ is a relative, rather than quantitative measure.
The original drafting of the GDPR legislation meant that only the biggest organisations (possibly amounting to less than 10%) would have been required to assign a DPO – however, various changes have since moved the goalposts. Therefore, it’s important to consider the most recent amendments to Article 37:
“The processing of personal data should not be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.”
By transferring this to a more familiar scenario, it becomes easier to understand – take an e-commerce company as an example. For such a business that sells products online to members of the public, the scaling test is clear – it’s based on how many customers, and their personal data security, one person in the organisation is able to reasonably consider.
If you’re still unsure about whether your business operations count as ‘large scale’, then get in touch and we’ll help you work it out!