Mandatory appointment of a data protection officer – does this apply to my organisation?

The appointment of a data protection officer will become mandatory for many organisations in May next year as a requirement of the General Data Protection Regulation (Article 37 GDPR).

For those organisations that have not yet appointed a data protection officer or are not sure if they need to hopefully this blog will assist in the decision-making process.

The mandatory appointment of a DPO is required for organisations which fall in the following three categories:

  1. Public authorities (except for courts acting in a judicial capacity).
  2. Organisations whose core activities require regular and systematic monitoring on a large scale.
  3. Organisations whose core activities involve processing special categories of data or personal data relating to criminal convictions and offences on a large scale.

The decision-making process in terms of the requirement for a DPO has been made clearer by recent guidance issued by the Article 29 Working Party (A29). It is interesting however that the A29 recommends that controllers and processors should document the internal analysis carried out to determine whether a DPO is appointed and that such analysis should be considered as part of the data protection accountability principle (the accountability principle in Article 5(2) requires an organisation to demonstrate that they comply with the GDPR principles).

Organisations that decide not to appoint a data protection officer should document the process they followed to arrive at the decision not to appoint.

The first category is reasonably straightforward in terms of designated public authorities.

In the second category, the A29 defines core activities as ╦ťthe key operations necessary to achieve the controller’s or processor’s goals.’ The example given relates to a hospital providing health care. A core activity would be processing health records. Examples of ╦ťlarge scale ╦ťprocessing are processing of travel data of individuals using a public transport system and the processing of real time geo-location data of customers of an international fast food chain for statistical purposes. The A29 defines ╦ťregular’ as ╦ťongoing or occurring at intervals’ and ╦ťrecurring or repeated at fixed times’ and constantly or periodically taking place.’

╦ťLarge scale’ depends upon the number of data subjects and the volume or range of the different data items being processed as well as the duration or permanence of the processing. Examples given of this category are providing telecommunication services, email retargeting, data driven marketing activities, location tracking, loyalty programs and connected devices

The third category is reasonably straightforward and Article 37(1)(C) addresses the processing of special categories. The provision uses ╦ťand’ between the two criteria (special categories of data and data relating to criminal convictions) but the A29 states that the text should read ╦ťor.’

The GDPR definition of ╦ťspecial categories’ of personal data is the same as ╦ťsensitive personal’ data defined in the Data Protection Act 1998 with the addition of biometric data and genetic data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health and data concerning a natural person’s sex life or sexual orientation).

If an organisation falls into the above three categories then the appointment of a DPO is mandatory.

A single data protection officer may be appointed to act for a group of companies or for a group of public authorities.

Where an organisation which processes, personal data is not sure if they fall within the Article 37 categories then some form of assessment should be carried out of their data processing. This will be necessary to comply with the accountability principle if it is decided not to appoint a DPO.

This assessment process will also apply to an organisation which is sure that the Article 37 criteria does not apply to them. Any organisation which processes personal information must comply with data protection laws. This is evident in an analysis of the Information Commissioner’s regulatory action especially where sensitive personal information (GDPR special categories) has been lost, stolen or put at risk.

It is clear, that an organisation will not be able to argue that Article 37 did not apply to them and use this as a defence or excuse for poor data protection practice to avoid regulatory activity.

The assessment process will require some data protection expertise. For example, an organisation will be required to maintain internal records of processing activities. An information audit will help to identify the personal data flows in an organisation and whether any special category of data is being processed. If an organisation has more than 250 employees’ additional internal records of processing activities must be maintained.

Also, the GDPR requires organisations to implement technical and organisational measures to demonstrate that data protection has been considered and integrated into processing activities. There is also a requirement for an organisation to identify and publish their lawful basis for processing personal information.

The GDPR will set a higher standard for consent. The ICO has recommended that organisations review their consent mechanisms to ensure that they will comply with the GDPR.

The GDPR will give individuals greater rights over their personal information. The ICO recommends that organisations should check their procedures to ensure that they can deliver on individual rights. For example, the right to be informed, the right of access, the right of rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling.

Whilst the GDPR makes it clear when an organisation must appoint a DPO there is clearly also much work to be done for any organisation which falls outside the criteria for a mandatory DPO. The A29 recommends the voluntary appointment of a DPO for those organisations which process personal information but do not meet the criteria set out in Article 37.

The GDPR allows organisations to fill the role of a DPO using an external service provider. Outsourcing your DPO requirements to ProDPO means you can rely on our expertise in data protection law and practice.

It you have any questions about data protection and or GDPR please get in touch on or 0203 697 7206.

Struggling to recruit a DPO? Don't need someone full-time?

If you have any questions please get in touch on or 020 3697 7206