The answer to the question do I need a Data Protection Officer under GDPR is not always straightforward. Here are some tips you can use in order to reach a valid decision on appointing a DPO.
Formal Data Protection Officer or informal Data Protection Adviser?
The question ‘ do I need a Data Protection Officer ‘ comprises a strictly legal component according to GDPR criteria and a less formal component i.e. would it be wise for a company like mine to have a Data Protection Officer (or a regular privacy adviser). If you find that the GDPR and WP29 Guidelines on Data Protection Officers do not provide for a clear answer and that your business model is largely based on processing data about people, you cannot go wrong by appointing a DPO. The truth is, you will require a credible, independent privacy adviser anyway – so giving them the DPO status will be an easy additional step.
Do I engage in ‘regular and systematic monitoring’ ?
Many businesses we interact with the GDPR criterion of ‘regular and systematic monitoring’ as part of the company’s core activities, on a large scale. Businesses sometimes suggest using the criterion as an escape clause: we are processing personal data but do not engage in ‘regular and systematic monitoring’. But is that correct?
WP29 interprets this criterion broadly: providing a telecommunications network or service; email retargeting; profiling and scoring for purposes of risk assessment e.g. in relation to insurance; location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; providing connected devices e.g. smart meters, smart cars, home automation etc. The list may seem limited at first glance but a closer look reveals a few common approaches to doing business.
Behavioural advertising and location-based services are often an integral integral part of web- and app-based services. Loyalty programs are regularly found both online and offline. IoT features are becoming more and more common.
Is it ‘large scale’?
In order to assess this criterion, WP29 suggests one should use not only the number of data subjects concerned – either as a specific number or as a proportion of the relevant population, but also the volume of data and/or the range of different data items being processed, the duration, or permanence, of the data processing activity, and the geographical extent of the processing activity. A neat comparison of a hospital as opposed to individual GP or dentist is further given to differentiate between ‘large scale’ and ‘small scale’.
An extra tip may be that every retail online business needs ‘large scale’ to survive, so if you are not ‘large scale’ now, you definitely aspire to be. And once you reach that point, ensuring GDPR compliance may be more difficult than it is on a small scale. When it comes to compliance, greenfield is easier than brownfield, so getting a credible privacy adviser or DPO soon may save you a lot of frustration and money.