The new data privacy regulations (the GDPR) requires some companies to have a data protection officer. For many companies, they will need a DPO if they have core activities that require regular and systematic monitoring of individuals on a large scale. Article 37(1)(b). The effective date of the regulations is May 2018. There has been confusion about which companies need such a role. In response, the Article 29 Working Party recently issued a guidance. It gives some clarification for these three concepts: (1) core activities requiring monitoring, (2) regular and systematic monitoring, and (3) large scale. The Working Party expects that companies will document how they determined if they needed a DPO.
As companies think about the DPO role, it is helpful to look at how the Working Party thinks about these three concepts. Core activities, the guidance indicates, are those that are key to achieving a company’s goals. Examples given are processing of patient data by a hospital, or the surveillance a private security company might carry out of a shopping center. Routine processing, like HR-related processing, is not a core activity. Examples given of regular and systematic monitoring include “all forms of tracking and profiling on the internet,” as well as email retargeting, location tracking (by mobile apps, for example), loyalty programs, and monitoring fitness data by a wearable device, among others. Finally, with respect to large scale, the Working Party indicates that standards to define this will likely develop over time. For now, examples given include processing geo-location data of customers for statistical purposes related to the company’s services (in the example given, a fast food chain restaurant) and processing of customer data in the “regular course of business” by a bank or insurance company.
The guidance also gives direction on the DPO’s role and responsibilities, reminds companies that DPOs do not have the ultimate compliance obligation under GDPR (that responsibility falls on the controller or processor), and even if a company concludes that it does not need a DPO, it may find it “useful” to voluntarily designated someone to be in that role.
TIP: Companies working towards compliance with the GDPR may find this new guidance helpful in thinking through whether or not to appoint a DPO. While not all possible scenarios are provided, this document suggests that the Working Party is interpreting broadly the concepts of “core activities” as well as large scale monitoring.