Call us today:

01 23 777 22

or complete our Contact Form

  NEWS

Who needs a Data Protection Officer?

The Office of the Data Protection Commissioner recently shared its advice on who needs a Data Protection Officer, their role, responsibilities and obligations...

The Data Protection Officer (DPO) role is an important GDPR innovation and a cornerstone of the GDPR’s accountability-based compliance framework. In addition to supporting an organisation’s compliance with the GDPR, DPOs will have an essential role in acting as intermediaries between relevant stakeholders (e.g. supervisory authorities, data subjects, and business units within an organisation).

The DPO will have professional standing, independence, expert knowledge of data protection and, to quote the GDPR, be ‘involved properly and in a timely manner’ in all issues relating to the protection of personal data.

The DPC recommends that all organisations who will be required by the GDPR to appoint a DPO should do this as soon as possible and well in advance of May 2018. With the authority to carry out their critical function, the Data Protection Officer will be of pivotal importance to an organisation’s preparations for the GDPR and meeting the accountability obligations.

A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organisations, which are all options provided for in the GDPR.

It is important to note that DPOs are not personally responsible where an organisation does not comply with the GDPR. The GDPR makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that the processing is in accordance with the GDPR. Data protection compliance is ultimately the responsibility of the controller or the processor.

Who needs a DPO?

  1. All public authorities and bodies, including government departments.
  2. Where the core activities of the organisation (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale.
  3. Where the core activities of the organisation consist of special categories of data (ie health data) or personal data relating to criminal convictions or offences.

Public Authority or Body?

Public authorities and bodies include national, regional and local authorities, but the concept typically also includes a range of other bodies governed by public law.

It is recommended, as a good practice, that private organisations carrying out public tasks or exercising public authority should designate a DPO.

Core activities can be defined as the key operations necessary to achieve an organisation’s (controller or processor’s) goals. For example, a private security company which carries out surveillance of private shopping centres and/or public spaces using CCTV would be required to appoint a DPO as surveillance is a core activity of the company. On the other hand, it would not be mandatory to appoint a DPO where an organisation undertakes activities such as payroll and IT support as, while these involve the processing of personal data, they are considered ancillary rather than core activities.

Large-scale processing

While the GDPR does not define large-scale the following factors should be taken into consideration;

  • The number of individuals (data subjects) concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

Examples of large-scale processing include:

  • processing of patient data in the regular course of business by a hospital
  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
  • processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
  • processing of customer data in the regular course of business by an insurance company or a bank
  • processing of personal data for behavioural advertising by a search engine
  • processing of data (content, traffic, location) by telephone or internet service providers

Examples that do not constitute large-scale processing include:

  • processing of patient data by an individual doctor
  • processing of personal data relating to criminal convictions and offences by an individual lawyer

Regular and systematic monitoring

Regular and systematic monitoring should be interpreted, in particular, as including all forms of tracking and profiling on the internet, including for behavioural advertising. However, the definition of monitoring is not restricted to the online environment. Online tracking is just one example of monitoring the behaviour of individuals.

Regular’ is interpreted by the Working Party 29 (comprising the EU’s data protection authorities) as meaning one or more of the following:

  • Ongoing or occurring at particular intervals for a particular period
  • Recurring or repeated at fixed times

Systematic’ is interpreted as meaning one or more of the following:

  • Occurring according to a system
  • Pre-arranged, organised or methodical
  • Taking place as part of a general plan for data collection
  • Carried out as part of a strategy

Examples would likely include operating a telecommunications network; data driven marketing activities; profiling and scoring for purposes of risk assessment (eg fraud, credit scoring, insurance premiums); loyalty programmes, CCTV, and connected devices (eg smart cars)

Special Categories of Data – these include personal data revealing; racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or personal data relating to criminal convictions and offences.

Further information and guidance

Further information and guidance on the Data Protection Officer role is set out in the guidelines of the Working Party 29. In particular, these guidelines set out the position of the EU’s data protection authorities on matters such as:

  • Designation of a single DPO for several organisations
  • Expertise and skills of the DPO
  • Role, tasks, responsibilities and independence of the DPO
  • Resources that should be provided to a DPO to carry out their tasks



Share this article!