Under the GDPR, appointing a DPO is mandatory under three circumstances:
- The organisation is a public authority or body.
- The organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- The organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
SMEs (small and medium-sized enterprises) are not exempt from the DPO requirements, should any or all of the above apply.
Other circumstances in which to appoint a DPO
The GDPR permits member states to specify other circumstances in which a DPO must be appointed.
Although the UK DPA (Data Protection Act) 2018 does not extend the GDPR’s requirements for DPOs, several other member state laws do.
German data protection law, for example, requires every organisation with ten or more employees that permanently processes personal data to appoint a DPO.
Even where the GDPR does not specifically require a DPO to be appointed, it is highly encouraged by the EDPB (European Data Protection Board) as a matter of good practice.
However, the role of the DPO is defined by the GDPR. So, if you appoint a DPO, they must fulfil the requirements the law sets out for them. Failing to do so will leave your organisation open to regulatory action.
Therefore, if you are not legally obliged to appoint a DPO, you are better off appointing a GDPR manager or data privacy officer to oversee your GDPR compliance.
Like the official DPO role, this can be outsourced. Our Privacy as a Service will provide you with fast and expert support from independent privacy
Legal status of the DPO
A DPO has the same legal status whether the appointment is voluntary or mandatory. Organisations will be liable for the same penalties if the DPO role is not fulfilled correctly. Therefore, they might find it sensible to employ someone in a comparable role to oversee data protection but with the freedom to be more involved in the practicalities.