Data Protection Officer in Small and Medium Enterprises – A useless figure or an accountability cornerstone?

One of the key innovations of the GDPR is the introduction of the role of the Data Protection Officer (DPO), a corporate role tasked with facilitating compliance with the GDPR provisions. The DPO appointment is compulsory in selected cases, and in most cases, it is strongly advisable.

The upcoming applicability of the General Data Protection Regulation (GDPR) requires that every organisation assesses its data protection practices and rethinks all processes that would not be compliant with the new legislation. Having said this, it is not uncommon for small organisations to believe that the limited number of employees or the limited amount of revenues is worth a free pass out of the GDPR labyrinth.

Some confusion seems to exist on whether small business – Small and Medium Enterprises, SMEs  – are exempted from the obligation to appoint a DPO.

While SMEs enjoy limited waivers under the GDPR (see for instance the waiver to the requirement to draft a Records of processing activities at Article 30(3) GDPR), their overall accountability is unaffected, and therefore, they should be looking closely to map their GDPR exposure soon. For this purpose, the European Commission released several documents to help big and small organisations understand their duties.

As the recent Cambridge Analytica scandal showed to the world, the size of a company has little to no impact on its exposure to data protection issues. Indeed, Cambridge Analytica is formally a SME, as it has less than 250 employees and a turnover below € 50m. Nevertheless, their business activities put them in a position to harvest data concerning tens of millions of people worldwide, and they are now under investigation for an alleged breach of data protection law of epic proportions.

The key element in the GDPR is not the size of the company, but instead, it is the size and nature of data protection processes. Your company must assess as soon as possible:

a) how much data it processes

b) what kind of data it processes

c) how it processes it

 

 

The outcome of this data protection assessment helps organisations understand whether they must appoint a DPO or not, and while the size of the company may serve as a general warning light, it has no actual weight in the final outcome of the assessment.

In a past news article we provided our readers with a few key examples of firms of different sizes who need and need not appoint a DPO. SMEs were the object of half of those examples.

  • Does your (small/medium) company process data on a large scale (indicatively belonging to 5000+ people)?
  • Does it process data systematically?
  • Does it process special categories of data (data on ethnic origins, sex, religion, etc.) or criminal data?

In all these cases, you will need to appoint a DPO regardless of the size of your company. For more information visit our DPO Service page.

In other cases, such as that of the small business that only processes a small amount of data regarding their employees and suppliers, this appointment will not be necessary (see also the definition of ancillary activities under Recital 97 GDPR).

Notwithstanding, as it has been stressed by the Article 97 Working Party (soon European Data Protection Board), a voluntary DPO appointment is welcomed by data protection authorities and by the EU. Indeed, the accountability principle is of paramount importance in the GDPR. Under this principle, all organisations must demonstrate that they comply with the GDPR and appointing a DPO – who is involved and consulted in all data-protection-relevant business decisions – is a cornerstone to demonstrate compliance as well as to put the organisation in a safe position in terms of reputational risk.

While a DPO appointment may be seen as an unnecessary cost by some SMEs, recent facts suggest that saving money on data protection may prove to be a questionable judgment in the long-term. Thus, it is strongly advisable that SMEs, who constitute the core of the European business fabric, examine their exposure as soon as possible.

Are you unsure whether your organisation is well-placed in view of the 25 May 2018 deadline? Feel free to contact us.

Filippo Marchetti, Data Protection Specialist at Trilateral Research

 

Kush Wadhwa, Director at Trilateral Research

Kush Wadhwa