The concept of a ‘Data Protection Officer’ (“DPO”) for organizations processing personal data has been alive and well for many years – already a mandatory requirement in some countries and best practice in others.
However, for the first time, the appointment of a DPO will be mandatory under the General Data Protection Regulation (“GDPR”) for many organizations regardless of their size or whether they are processing personal data in their capacity as a controller or a processor. But before you all rush out to recruit a DPO – stop, breathe and read this blog – you may be panicking unnecessarily.
Under the GDPR, there are three main scenarios where the appointment of a DPO by a controller or processor is mandatory:
The processing is carried out by a public authority;
The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions/ offenses.