Under Article 37 of the General Data Protection Regulation (GDPR), certain organisations must appoint a data protection officer (DPO). Here’s how to find out if this rule applies to you.
The GDPR applies to any business that offers goods or services to people in the European Union. It’s substantially different to the previous Data Protection Act, so there are certain changes companies must make to their data handling processes to prepare for the new regulation.
One of the key changes that companies may need to implement is the appointing of a Data Protection Officer.
Earlier drafts of the GDPR limited this requirement to companies with more than 250 employees. However, the final version has no size restriction, meaning it can apply to small businesses too.
The following companies need to appoint a data protection officer under Article 37:
As with most legal documents, there are some phrases in Article 37 of the GDPR that are quite vague. It’s hard to know what counts as ‘large scale’ or ‘systematic’ monitoring, for example.
Thankfully, the Article 29 Working Party has published ‘Guidelines on Data Protection Officers’ which provides some much needed guidance, if not concrete definitions:
If you need to appoint a data protection officer, you should do so on the basis of their ‘professional qualities’. They need expert-level knowledge of data protection law and best practices, and at a minimum they must be able to do the following:
In carrying out these tasks, your data protection officer should give ‘due regard’ to the risk of carrying out data processing. They also have the right to insist on their company providing any and all resources they need to do their job effectively.
Somewhat unhelpfully, the powers-that-be have been rather vague about who Article 37 of the GDPR applies to. Therefore, small businesses need to be aware of the fact they may need to appoint a data protection officer before the regulation comes into effect on 25 May 2018. They also need to be honest about whether they think it applies to them.
If your business tracks data, either online or offline, of multiple individuals over a relatively modest time-period and geographical area you may need to appoint someone to the role. This can be as simple as carrying out customer research surveys for a client. If your business does these kinds of activities regularly, Article 37 will apply.
Still unsure about whether Article 37 applies to you or not? Email us firstname.lastname@example.org and we’ll help you review your data processes and move forward with GDPR compliance.