It’s a big question, and an important one. Article 37(1) of the GDPR requires the designation of a DPO in three specific cases. Do any of the following apply to the nature of your organisation?
- a public authority (except for courts acting in their judicial capacity);
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
- an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.
If you answered ‘yes’ to any of the above questions, then you almost certainly do need to appoint a DPO.
If you answered a resounding ‘no’ to all of the above, then appointing a DPO is optional. We would suggest however, that you may still want to consider appointing a DPO, for the reasons outlined in our blog post ‘Why appoint a data protection officer if we don’t have to?’