When does an SMEs (Small to Medium Enterprise) require a Data Protection Officer?
Opinion Piece by Lindsay Charman
GDPR doesn’t differentiate between larger and smaller businesses when it comes to appointing a DPO. Based on the type and volume of processing your organisation is responsible for, you will either legally need to appoint one, or not.
For most businesses, it is the latter option, and you will just need to focus on compliance, and protecting your organisation in case of an audit.
However, if you meet any of the following statements, you will need to consider your DPO options if you:
- Are a public authority
- Carry out large-scale systematic monitoring of individuals, such as online behaviour tracking, or
- Engage in large-scale processing of special categories of data or data relating to criminal convictions and offences.
What is meant by ‘large scale’ processing?
The GDPR provides only a general description of “large-scale processing”, referring to the geographical area covered, number of data subjects involved, amount of data and range of data.
The GDPR does suggest that it is not designed to impose expensive or economically prohibitive clauses on sole traders (for example, Recital 91), though some professional opinions have suggested that the size of the organisation and ability to monitor data needs to be balanced with the amount of data itself.
If you are handling special categories of data though, it is generally advisable to err on the side of caution as the risks are greater.
The GDPR does not set out to impose economically restrictive practices on organisations, only what is necessary to protect data subjects.
Allowing companies (in certain circumstances) to engage a shared Data Protection Officer is a good example of this.
Any organisation is able to appoint a DPO if they wish to do so. However, even if your company chooses not to appoint a DPO because the above doesn’t apply to you, you must still ensure that you have sufficient staff and skills in place to be able to carry out your obligations under the GDPR.