These six organisations are considering appointing a DPO – and yours?

It is advisable that all organisations, regardless of size and geographic location, duly assess whether they need to appoint a Data Protection Officer (DPO). In our previous article we illustrated what the DPO role is; here, we provide you with six practical examples (names and domain of activity are fictional).

Organisations that need to appoint a DPO as soon as possible

  • Pipely Waters Ltd is a company operating in the water management and distribution sector in Scotland. It provides water to ca. 280 families in the remote area of Sutherland, and it is fully owned by a local city council. The fact that this company is fully owned by a public authority also qualifies it as a public authority under the relevant UK law, even if the personal data is not processed on a large scale. Therefore, Pipely Waters fulfils the requirement for a compulsory appointment of a DPO.
  • AcuMedical Ltd is a private practice specialised in acupuncture for pain-relief purposes. It has a patient base of around 450. In order to deliver adequate service, they ask each new patient to submit their medical history. Then, they store such data into an electronic system that keeps track of patients’ treatments to send alerts and reminders. Although this private practice has a limited number of patients, it processes medical data, which belong to the special categories of data and require a DPO appointment.

 Organisations that are not required to appoint a DPO

  • DryHard Ltd is a laundrette located in London. In addition to self-service laundromat, they provide custom laundry service for delicate clothes to their over 1300 customers. DryHard is equipped with a Customers database tool to improve logistics. Although they process data of over a thousand people, they do not use this data for monitoring customers or analysing their behaviour. Therefore, DryHard is not required to appoint a DPO.
  •  Strate.me Ltd is a small advisory firm based in Leeds. They provide advice to companies that aim at enhancing their competitiveness on the European energy market. For their activity, they do not process large sets of data: indeed, they only have access to a very limited number of officers of their 15 client companies. Some of these companies process data on a large scale, but Strate.me never has access to such data. In this case, due to the nature of their activity, the consultancy does not need to appoint a DPO.

Organisations that are not legally required to appoint a DPO, but their business activity makes it appropriate to appoint one

  • N-Gage Ltd is a political consultancy firm. They carry out lobbying and stakeholder-engagement activities with the British government and the EU, and help corporations and citizens’ associations to enter into a fruitful dialogue with policymakers, especially in the education sector. N-Gage is not formally required to appoint a DPO but it may consider doing it anyway in order to increase its reputation of a responsible player when dealing with delicate matters in the political and legislative sector.
  • The DO-IT Foundation is a private foundation that aims at recovering and maintaining historical buildings. Within their activity, they open these places to the public once a year, in their DO-IT Spring Sundays. The Foundation is partially funded by the government and takes part to multi-stakeholder projects and activities. Although they do not fulfil the requirements for the appointment of a DPO, they may consider appointing one, in order to demonstrate their compliance with the law in carrying out activities that are partially funded with taxpayer’s money.

In conclusion

As shown in these examples, the decision on whether to appoint a DPO is not based on a simple check-list of requirements. While one might be induced to think that the legal requirements in Article 37 are the only parameter, the Article 29 Working Party stresses that voluntary appointment is to be encouraged. While the organisations in our examples 3 and 4 may feel reasonably safe without appointing a DPO, companies 5 and 6 should take the possibility of an appointment very seriously.
Indeed, the GDPR introduced a risk-based approach when dealing with data protection compliance. Thus, organisations that appoint a DPO add a further point of strength to their compliance strategy, and this will certainly matter when authorities assess the organisation’s risk exposure in case of data breaches and other issues.

Are you unsure whether you need to appoint a DPO?

Contact our team:

FILIPPO MARCHETTI, Data Protection Specialist at Trilateral Research