In the modern digital age, the use of personal data is expanding in terms of volume and value. UK privacy law ensures the commercial use of personal data is fair when balanced with the rights of UK data subjects. Monitoring compliance with applicable privacy laws is a key responsibility of a Data Protection Officer (DPO) but does your organisation actually need a designated DPO? Let’s take a look at the facts…
Article 37 of the General Data Protection Regulation (GDPR) states that the controller of personal data must appoint a DPO on a mandatory basis if it meets one of the following criteria:
- The processing is carried out by a public authority or a public body (except for courts acting in their judicial capacity). Examples of this include: the governing body of a higher learning institution, an NHS trust or a county council.
- The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. An example of regular and systematic monitoring could include operating business CCTV or tracking online behaviour.
- The core activities of the controller or processor consist of processing on a large scale of special category personal data (Article 9) and personal data relating to criminal convictions and offenses (Aricle 10). This type of processing could, for example, be undertaken by health organisations, criminal record checking organisations or trade unions.
How do you know if the processing is large scale?
Although there is no definition given for ‘large scale processing’ in the GDPR or the Data Protection Act 2018, to decide whether processing is on a “large scale”, you should consider:
- * The number of data subjects concerned.
- * The volume of personal data.
- * The variety of personal data.
- * The duration of the data processing.
- * The geographical extent of the processing.
Are you unsure whether you meet any of the above criteria?
Contact us on 0800 999 5550 or email me at firstname.lastname@example.org for a confidential discussion about your commercial processing activities.
Harry Ware - Senior Data Protection Adviser