Organisations must appoint a DPO if they are a public body, or process sensitive data on a large scale or complete regular and systematic monitoring of data subjects. Deciding what is meant by large scale is open to interpretation but organisations would be advised to err on the side of caution. Earlier thoughts during the development of the GDPR about the need for a DPO indicated larger organisations would need one. If you meet that threshold and decide not to have a DPO, you will need compelling reasons.
Larger organisations – those with over 250 staff – have additional responsibilities including the requirement to document all processes involving the handling of personal data.
A DPO doesn’t need to be a specified member of staff, as a third party can be used. In Germany, this practice has been in use for some time, with specialist agencies offering DPO services.
It’s essential that the DPO has a level of independence and authority with regard to the organisation.
It’s also very important to establish that a DPO has the appropriate skill levels, training and ability to access the information they require.
It is therefore critical that the DPO has the ability to both understand the law and how it should be applied within the organisation, This expertise must be applied to an understanding of the ways that the organisation acquires and processes information, as well as the security and protection measures employed.
It’s quite likely that many individuals who currently have the role of data protection representative, may not be suited to the new DPO role.
Will you need a DPO?