When Do You Actually Need a Data Protection Officer under the GDPR?
You can hear the rumbling on the horizon. That's right, GDPR is coming. But no need to panic; as long as you're aware of what exactly you have to comply with - and make solid, demonstrable steps towards compliance - you should be fine.
So with that in mind, let's focus on one of the absolute key areas of the legislation that has organisations concerned. That's right; appointing a Data Protection Officer. Basically, according to Articles 35-39 you must appoint one in three specified situations:
- where processing is carried out by a public authority;
- if the core activities of the controller or processor consist of regular and systematic monitoring of individuals on a large scale; or
- if the core activities consist of processing special categories of personal data on a large scale.
Now, that may seem simple enough. But statutes always seems simple until you actually have to apply them. For example, what do they mean by "core activities" or "large-scale" or "regular and systematic monitoring"? There's no real body of case law to help us after all.
Have no fear, because in December 2016, the Article 29 Working Party (an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission) helped clarify all of this.
They issued interpretive guidance which defined ‘core activities’ as ‘key operations necessary to achieve the controller’s or processor’s goals’. This does not mean that the organisation must be in the business of data analytics, however, but rather that data processing is ‘an inextricable part of the controller’s or processor’s activity’.
The WP29 defined ‘large scale’ with focus on the number of data subjects rather than the organisation’s size. This means an organisation with few employees may nevertheless engage in ‘large-scale’ processing if it serves a lot of customers, whereas a company serving a small number of clients is unlikely to meet the ‘large-scale’ definition.
In particular, the WP29 identified the following ‘large-scale’ factors:
- The number of data subjects concerned—either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration or permanence of the data processing activity
- The geographical extent of the processing activity
Following on from that, they defined the term ‘regular and systematic monitoring of data subjects’ as including all forms of Internet-based tracking and profiling, but is ‘not restricted to the online environment and online tracking’. The WP29 interprets ‘regular’ as meaning one or more of the following:
- Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place
Hopefully this article helped clarify when exactly you need to appoint a Data Protection Officer. There'll be plenty of growing pains as whole industries have to adapt to a quickly changing privacy landscape. However, as long as we're aware of all the moving parts, things will be much easier.