#8 Data Privacy Best Practice: Determine whether it is necessary to appoint a Data Protection Officer (DPO) under the GDPR.
My recent posts in this series have discussed best privacy practices for the hypothetical software company BizConnect. These practices have included:
a) drafting a GDPR compliant privacy policy; b) self-certifying under the Privacy Shield for transfers of EU personal data; c) adopting GDPR model clauses for transfers of EU personal data; d) deciding whether to conduct a DPIA and/or adopt a Code of Conduct; (e) discuss why BizConnect should draft an internal written data security plan, obtain SSAE-18 audit reports, and adopt a Business Continuity Plan. and appointing an Article 27 data representative in the EU.
This post focuses on whether it is necessary for BizConnect to appoint a Data Protection Officer or DPO.
The appointment of a DPO is not mandatory for every company subject to the GDPR. There is a threshold test of who is subject to Article 37’s DPO requirement. If a company’s “[C]ore activities involve regular and systematic monitoring of data subjects on large scale or large scale of special categories of personal data such as race, ethnicity, or religious beliefs,” then the appointment of a DPO is required. See text of Article 37 here.
BizConnect’s services are not designed or intended to collect any information in these categories. The question of whether a company’s “core activities involve regular and systematic monitoring of data subjects on a large scale,” is more difficult to determine with precision. In an early GDPR draft there was a proposal to apply the requirement to any company with more than 250 employees. This was rejected in part because there could be large companies who do not massively collect or use personal data and very small companies who do.
BizConnect is not engaged in either large scale monitoring or collection of personal data in the special categories. It collects personal data including name and email by companies who are using its software product.
Even if it is not required to appoint a DPO, BizConnect could choose to do so.
What is the potential downside of appointing a DPO especially by a small company? The DPO is an expert on the GDPR who should be very knowledgeable about the GDPR, and assume such internal duties as conducting training and monitoring of the company, and generally advising the company on GDPR compliance. For a small company like BizConnect, it is likely that the individual serving as DPO would also be carrying out other responsibilities, and should only assume the formal role of DPO if they can meet those qualifications. BizConnect could hire an external contractor to serve as DPO.
If BizConnect does not appoint a DPO, they should document their rationale that they do not meet the mandatory appointment test of Article 37. They should appoint a privacy officer who will coordinate GDPR compliance including internal training of personnel.