NJORD Lithuania: Does your organisation need Data Protection Officer?
Business around the globe is preparing for GDPR to come into force on 25 May 2018. As the deadline for GDPR compliance is fast approaching and many companies will need to appoint Data Protection Officer (DPO), the companies need to consider whether their core business operations involve:
- regular and systematic monitoring of data subjects on a large scale; and/or
- processing the special categories data on a large scale.
Such definitions has left a lot of room for interpretation, so Guidelines on DPO published by the Article 29 Working Party (WP29) has already introduced some explanations.
Core activities can be considered as the key operations to achieve the organisations objectives. These also include all the activities where the processing of data forms as inextricable part of your activity (for example, processing patients health data should be considered as one of hospitals core activities, but not the payroll or IT support which are supporting activities).
The definition of a large scale shall be explained by the duration and scope of processing data – number of data subjects, the volume of data or range of data items, the duration of the processing and the geographical extent of the processing data at your company etc.
Regular and Systematic Monitoring is understood as online behavioural marketing for commercial purposes and, according to WP29, include all forms of tracking and profiling on the internet.
If your company falls under the scope of GDPR appointing DPO, it is important to either fulfil the DPO position internally or from an external as soon as possible. When there is no mandatory requirement, companies may sometimes find it useful to designate a DPO on voluntary basis as it is the best way to assist the organisation in complying with GDPR. You should also assume that you will need a DPO – unless you can demonstrate that you don’t.