Do you need a Data Protection Officer under GDPR?


Under Article 37 of the General Data Protection Regulation (GDPR), certain organisations must appoint a data protection officer (DPO). Here’s how to find out if this rule applies to you.

Who needs a DPO?

The GDPR applies to any business that offers goods or services to people in the European Union. It’s substantially different to the previous Data Protection Act, so there are certain changes companies must make to their data handling processes to prepare for the new regulation.

One of the key changes that companies may need to implement is the appointing of a Data Protection Officer.

Earlier drafts of the GDPR limited this requirement to companies with more than 250 employees. However, the final version has no size restriction, meaning it can apply to small businesses too.

The following companies need to appoint a data protection officer under Article 37:

  • Public authorities or bodies, except for courts acting in their judicial capacity.
  • Companies who process data requiring ‘regular and systematic monitoring of data subjects on a large scale.’
  • Companies who process, on a large scale, any special category of personal data. This includes data which reveals racial or ethnic origin; political opinions; religious or philosophical beliefs and other such information.
  • Companies who process, on a large scale, personal data relating to criminal convictions and offences

New Call-to-action

Does this include my business?

As with most legal documents, there are some phrases in Article 37 of the GDPR that are quite vague. It’s hard to know what counts as ‘large scale’ or ‘systematic’ monitoring, for example.

Thankfully, the Article 29 Working Party has published ‘Guidelines on Data Protection Officers’ which provides some much needed guidance, if not concrete definitions:

  • Large Scale. The guidance provides no definition for this. However, it recommends organisations take the following into account in determining if they are processing on a large scale
    • The number of data subjects concerne
    • The volume of data or range of data items
    • The duration of the processing
    • The geographical extent of the processing
  • Regular and systematic monitoring. This ‘includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising’. But, you should note that this applies to offline activity as well as online. So if you track data offline, the GDPR may still apply to you.


What to look for in a data protection officer

If you need to appoint a data protection officer, you should do so on the basis of their ‘professional qualities’. They need expert-level knowledge of data protection law and best practices, and at a minimum they must be able to do the following:

  • Inform and advise all staff who carry out data processing of their obligations under the GDPR;
  • Monitor compliance with not just GDPR and internal company policies, but other EU or Member State data protection laws that relate to personal data too. Areas to monitor include the assignment of responsibilities, awareness-raising and training of staff involved in data processing;
  • Provide advice on any data protection impact assessment. This is where a potential new technology or data processing tool might infringe personal data rights. They must also monitor this assessment;
  • Cooperate with supervisory authorities; and
  • Act as a point of contact for the supervisory authority on all matters of data protection.

In carrying out these tasks, your data protection officer should give ‘due regard’ to the risk of carrying out data processing. They also have the right to insist on their company providing any and all resources they need to do their job effectively.

GDPR means self-assessment, so be honest with yourself

Somewhat unhelpfully, the powers-that-be have been rather vague about who Article 37 of the GDPR applies to. Therefore, small businesses need to be aware of the fact they may need to appoint a data protection officer before the regulation comes into effect on 25 May 2018. They also need to be honest about whether they think it applies to them.

If your business tracks data, either online or offline, of multiple individuals over a relatively modest time-period and geographical area you may need to appoint someone to the role. This can be as simple as carrying out customer research surveys for a client. If your business does these kinds of activities regularly, Article 37 will apply.

Still unsure about whether Article 37 applies to you or not? Email us  and we’ll help you review your data processes and move forward with GDPR compliance.

15 best (and most reliable) sources of IT security news
Data protection in the US vs Europe: what businesses need to know