Do I need to engage a DPO or not? This question remains challenging for many organisations to answer.
What does the GDPR state?
In terms of the regulation the requirement for a DPO is based upon the following criteria:
- you are a public authority or body (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
However, we feel that this criteria remains confusingly ambiguous for example:
- what is meant by large scale?
- what is regular in terms of the monitoring of Data Subjects?
This ambiguity is resulting in most organisations opting to ignore the requirement and avoiding the engagement of a DPO.
However, is this justified or a high risk strategy?
In our view, organisations need to take a risk averse approach, otherwise they risk breaching the GDPR and the Data Protection Act 2018.
Take our DPO Self-Assessment
Taking a risk averse approach
The Information Commissioners Office (ICO) explains what is meant by ‘large scale’ and ‘regular’ in this link.
In our view the explanation provided remains ambiguous, even the example given isn’t really offering too much clarity. That said, if your organisation is processing special data categories on any scale at all we would suggest the legal requirement is ‘likely’ to be that you need to formally appoint a Data Protection Officer (DPO).
Even if you prefer to argue the point, you probably have a ‘best practice’ requirement to appoint a DPO. For example, many legal interpretations of the Data Protection Act 2018 suggest that any processing of health related personal data requires the appointment of a DPO.
What it the impact of this?
We think this is significant for obvious reasons. For example, the following types of organisations need to engage a DPO as a matter of urgency:
- Any public authority
- Any organisation providing children’s after school services (i.e. sports clubs)
- Childcare Providers
- GP Practices
- Social Care Providers
- Care Homes
- IT Support Organisations (Especially those servicing any business on this list)
The above list is not exhaustive, there are many more types of organisations that would be considered to be included in the ‘legally required’ or ‘best practice’ list e.g. Accountancy firms.
How to engage a DPO.
Data Privacy Services offers a full DPO as a service offering, starting from only £58.00 + vat per month with six different levels of services available.