Do you need to appoint a Data Protection Officer?

In the modern digital age, the use of personal data is expanding in terms of volume and value. UK privacy law ensures the commercial use of personal data is fair when balanced with the rights of UK data subjects. Monitoring compliance with applicable privacy laws is a key responsibility of a Data Protection Officer (DPO) but does your organisation actually need a designated DPO? Let’s take a look at the facts…

Article 37 of the General Data Protection Regulation (GDPR) states that the controller of personal data must appoint a DPO on a mandatory basis if it meets one of the following criteria: 

1. The processing is carried out by a public authority or a public body (except for courts acting in their judicial capacity). Examples of this include: the governing body of a higher learning institution, an NHS trust or a county council.
2. The core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. An example of regular and systematic monitoring could include operating business CCTV or tracking online behaviour.
3. The core activities of the controller or processor consist of processing on a large scale of special category personal data (Article 9) and personal data relating to criminal convictions and offenses (Aricle 10). This type of processing could, for example, be undertaken by health organisations, criminal record checking organisations or trade unions.

How do you know if the processing is large scale?

Although there is no definition given for ‘large scale processing’ in the GDPR or the Data Protection Act 2018, to decide whether processing is on a “large scale”, you should consider:

• * The number of data subjects concerned.
• * The volume of personal data.
• * The variety of personal data.
• * The duration of the data processing.
• * The geographical extent of the processing.

Are you unsure whether you meet any of the above criteria?

Contact us on 0800 999 5550 or email me at info@bruceandbutler.com for a confidential discussion about your commercial processing activities.

Harry Ware - Senior Data Protection Adviser

Posted on 14th Apr 2020 09:53:50 by Matt

Tags: Data Protection, DPO.

Introducing - The Diary of a DPO Podcast

An introduction to our brand new and first ever podcast - The Diary of a DPO.

Introducing The Diary of a DPO podcast with Matt Bruce, CEO of Bruce & Butler - Data Protection and Information Security Specialists based in the UK.

Matt will give you an insight into the role of a Data Protection Officer whilst exploring new and emerging technologies and how they process personal data.

Believe me, the role of a Data Protection Officer (DPO) isn’t half as boring as it sounds.

It’s an increasingly important role and one that’s ever changing with the advancing pace of technological change, particularly with the emergence of Cloud, Big Data, Analytics and Artificial Intelligence (AI).

Ensuring the compliant, secure and ethical processing of personal data is now a top corporate risk with the consequences of getting it wrong terminal of organisations.

Check out our podcast on the following platforms:

• Apple Podcasts: https://podcasts.apple.com/us/podcast/the-diary-of-a-dpo/id1506468068?ign-mpt=uo=4
• Spotify: https://open.spotify.com/show/7h9XIpEJNZV4xHEVEVMnXZ
• AudioBoom: https://audioboom.com/channels/5022082

Posted on 14th Apr 2020 09:39:15 by Matt

Tags: Data Protection, DPO.