Does my business need a data protection officer, or can I do without one?
If you were wondering whether you should appoint someone from within your company or hire someone from outside to be your DPO, or if you even need it, you came to the right place for an answer.
In this article, we’ll explain exactly what businesses need to have a data protection officer and who can be a DPO, so let’s start.
Does My Business Need a Data Protection Officer?
Screenshot 2023-09-10 155604.png
Since the GDPR introduced the position, many business owners have wondered whether their business needs a data protection officer.
To answer this, we first need to understand what is a data protection officer or DPO.
A data protection officer is an individual or a service whose primary responsibility is to ensure that its organization processes the personal data of data subjects (customers, employees, or other individuals) in compliance with the data protection regulations that apply to it.
So, do you need someone like that in your company?
Luckily, we don’t have to guess too much as the European Commission provides an answer to this question.
The European Commission states that:
Your company/organization needs to appoint a DPO, whether it’s a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals.
What Kind of Businesses Require a Data Protection Officer?
Screenshot 2023-09-10 155628.png
To answer what kind of businesses require a DPO, we’ll turn to Section 4, Article 37 (Designation of the data protection officer) of the GDPR.
It says:
The controller and the processor shall designate a data protection officer in any case where:
The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope, and/or their purpose, require regular and systematic monitoring of data subjects on a large scale; or
The core activities of the controller or the processor consist of processing on a large scale of special categories of data.
There are a couple of things that we need to unpack here for better understanding here:
Core Activities
Core activities refer to the business’s “primary activities.” For instance, “core activities of a real estate agent include buying, selling and renting properties on behalf of their clients.
Large Scale
Unfortunately, the GDPR does not define “large scale.”
Viljar Peep, Estonian data protection commissioner, gives his definition in a LinkedIn post:
It is supposed to be large-scale processing if it covers the following:
Special categories and/or criminal convictions/offenses of data of at least 5,000 persons
Data causing a high risk of at least 10,000 persons
Any other data of at least 50,000 persons
Of course, the numbers can be arbitrary, and the threshold will not be the same in different countries.
For instance, according to the Germny’s Federal Data Protection Commissioner, “large scale data processing” operations include over 5 million people or a minimum of 40 percent of the relevant population. You’ll need to visit a compliance consultant to figure out what your specific legal landscape looks like.
Finally, the UN’s WP.29 recommends considering the following factors when determining if your business is processing data on a large scale or not:
How many data subjects are involved? You can go with a specific number, like 50,000, or a percentage, such as 40 percent.
Volume and/or range of processed data items
How long does the data processing activity take
And the geographical extent of the data processing
Regular and Systematic Monitoring
Again, the GDPR does not define “regular and systematic monitoring”, but we can conclude that it refers to any form of tracking and profiling, whether online or offline.
More specifically, for monitoring to be regular, it has to be ongoing or happening at particular intervals, whereas for it to be systematic, it has to be in some manner organized or pre-arranged.
Special Categories
Finally, the last part of the explanation refers to special categories.
Luckily, the GDPR’s Article 9 (Processing of Special Categories of Personal Data) gives us a clear definition of what these are.
Special categories include:
Personal data that reveal racial and/or ethnic origins
Data regarding the person’s sex and sexual orientation
Biometric and genetic data are processed to uniquely identify a person
Health data
Someone’s religious, philosophical, and political beliefs and opinions
Trade union memberships
So, if your business falls into any of the above categories, regardless of its size, it needs a data protection officer.
Who can be a Data Protection Officer?
Of course, not everyone can be a DPO.
This can be either an individual or an organization that is an expert in data protection and can perform its function independently, without interference.
A DPO can also be someone from the company or hired externally, and a single DPO can work with more than one company at a time.
If you’re looking to hire someone as a DPO, you will need to look out for these things:
Relevant education, preferably in the fields like law, data protection, privacy management, or information security
Familiarity with relevant data protection laws like the GDPR or ADPPA
Specific experience and background, particularly in data privacy and protection, compliance, risk assessment, etc.
Technical and analytical skills such as legal knowledge, communication skills, software skills, and so on
The ability to stay up-to-date on the regulations, best practices, and technologies that are relevant to their position
FAQs
Do small businesses need a data protection officer?
The appointment of a data protection officer (DPO) is not based on the size of the business but on whether that business’s “core activities” include “large scale” and “regular and systematic” data processing.
In other words, a small business that processes data of, say, 50,000 individuals will require a DPO.
Does my company need a data protection officer?
Your company may need a data protection officer or a DPO if:
Its “core activities” include data processing
It processes data on a large scale (i.e., 50,000 individuals)
It does so regularly and systematically
It processes “special categories of personal data (data related to the person’s racial and ethnic origins, religious/philosophical/political beliefs and opinions, sex and sexual orientation, etc.
Why would someone need a data protection officer?
A business may need to appoint or hire a DPO to meet its regulatory data privacy requirements.
Which countries require a data protection officer?
Many countries, in their specific data privacy and protection regulations and laws, require a person or company who will be responsible for protecting personal data.
However, only the EU and a few other countries specifically call this a “data protection officer.”
For more reference on DPO requirements by country, it’s best to look at the IAAP.
Does a DPO need to be in Europe?
No, a DPO does not need to be based in Europe.
Closing
Data protection officers play an essential function in businesses, safeguarding important data and being required by law in many cases.
At Captain Compliance, we serve businesses by providing an outsourced compliance service that can act as a data protection officer.