Do small businesses need to appoint a DPO under GDPR?

The introduction of the GDPR on May 28th, 2018, was partly led by the internet age where there are profound changes in the ways that many organizations, including small businesses, manage the personal data of members of the public, ‘data subjects’ under the GDPR. Many companies and organizations who manage and store the data of data subjects need to develop, transparent and accountable systems and policies, that guarantee the rights of the data subject. Data protection was always the responsibility of an organization, however, the advent of GDPR greatly increases the obligations of organizations regarding how they collect, record, share and protect personal data. The GDPR states that it is the duty of the controller (in this case small business management) to ‘integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects’ (Article, 25)

Failure to fully comply could lead to legal issues and heavy fines for a company.

Subject Access Rights Under GDPR

The GDPR now regards data protection as a basic freedom and now the data subject has the existing rights under the previous directive and some additional rights, notably those of erasure and portability. The rights of the data subject include

  • The data subject has a right to rectification (correction) of his or hers data,
  • The data subject’s right to access their personal data and sensitive personal data. Sensitive data is now called special categories of personal data under the GDPR,
  • The data subject has the right to be forgotten, this is the right to have one’s personal data held by an organization erased,
  • The data subject has the right to be informed,
  • The data subject has the right to data portability,
  • A data subject has the right to demand restrictions or object to the processing of their personal data.

It should be noted that these rights are not absolute for example the right to access personal data can be refused under a number of grounds including legal privilege and criminal investigation grounds, among others.

The GDPR means that the data of a subject must be managed in ways that do not interfere with the data subjects’ basic rights and grants them more control over how their data is used. Now organizations need to safeguard the data of private individuals and other organizations and they must be transparent. GDPR means that businesses are now more accountable for how they manage data and there are now higher penalties for any mismanagement around the processing of personal data of individuals, or ‘data subjects’, under the GDPR.

Data Protection Officers (DPOs)

To enforce the new regulations, the position of the Data Protection Officer has now become mandatory in many instances. These are employees or contractors who have been charged within an organization, with the safeguarding of the personal data of individuals. The GDPR states that ‘the controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data’ (Article, 38).

Among their duties regarding the protection of personal data are the following

  • assisting with Data Protection Impact Assessments (DPIA),
  • informing and advising the employees and the organization of their data protection obligations,
  • monitoring compliance with GDPR and raising awareness within the Organization,
  • being the contact point with the Data Protection Commissioner (DPC). However, based on the above duty it could be argued that a data protection officer does more than merely protects personal data but enables the data subject to control and monitor their data.

A data protection officer is someone who must have professional knowledge and expertise in the processing of data. According to Article 37 of the GDPR
‘The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law’.

The DPO while paid by the company has something of an anomalous role in the organization they are expected to be advocates for the full implementation of the GDPR and the data user and they should be independent and in their role they are being supported by EU law. The DPO must not perform another role within the organization which would have a conflict of interest with that of the DPO role.

Who Requires a DPO?

It is important to remember that the GDPR only impacts on organizations and small business in Europe, America and around the world that process the personal data and sensitive data of data subjects based within the EU. If they do not its provisions does not apply to them. However, if they want to internationalize their organization or business they may need to prepare for GDPR. Another important issue to remember is that many non-European countries may adopt the GDPR. Therefore, it is recommended that any small business that has ambitions to expand into international markets may need to consider the employment of a DPO.

The impact of GDPR on businesses is not uniform and it will differ from sector to sector. It is important to know that the new data processing regulations make DPOs mandatory in only in certain instances. For example, where the management and use of personal data is a central activity of an enterprise and not that is something that is incidental to it. The nature of this personal data is set out in the GDPR and is defined as ‘means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;’

The definition of special categories of personal data, formerly called sensitive data means any personal data relating to:

(a) the racial or ethnic origin of the data subject; (b) the political opinions or the religious or philosophical beliefs of the data subject; (c) trade-union membership of the data subject; (d) the physical or mental health or condition or sexual life of the data subject; (e) biometric data; and (f) genetic data

The DPO may only be a legal requirement where the core activity of the company or organization is the processing of personal data. This includes the monitoring and surveillance of data that could be constructed as having implications for the privacy of an individual. Where a private enterprise processes special categories of data as part of its routine business then it is obliged to retain a DPO and failure to do so is an infringement of the GDPR regulations.

The exact criteria (for organisations in the private sector) for the requirement to appoint a DPO (shared or otherwise): are

  1. Large scale processing: where the core activities of the organisation (controller or processor) consist of data processing operations, which require regular and systematic monitoring of individuals on a large scale; or
  2. Sensitive/special category data: where the core activities of the organisation consist of special categories of data (e.g. health data) or personal data relating to criminal convictions or offences.

Large scale processing is not exactly defined by the GDPR. However, can be interpreted as number of individuals, volume of data, duration of processing and geographical spread. The words regular and systematic can be interpreted by continuous and part of an organized system of monitoring so would certainly include profiling and targeted marketing.

All public bodies processing personal data should appoint a DPO except for courts acting in their judicial capacity. There have been some reports that small businesses do not require a dedicated DPO because they are not typically involved in large scale processing requiring regular and systematic monitoring nor are they typically processing special categories of personal data. Moreover, their ability to monitor the personal data of individuals is limited by their scale and IT infrastructure. Certainly article 37 of the GDPR, according to some sources would seem to indicate that they are largely exempt from the mandatory employment of a DPO. This is something that is possibly related to the need not to place an unsustainable burden on the cost base of small enterprises. However, a close reading of the said article would seem to contradict this. There is nothing that explicitly states that small businesses are not covered by the obligation to retain or employ a DPO. There is no explicit statement that excluded small companies from the obligation to employ a DPO. Therefore, every small enterprise needs to consider if it is obliged, despite their limited resources to engage a DPO. In this respect it’s important to remember in this digital and application age a company with a small number of employees can process very significant amounts of personal data. The GDPR brings a risk-based approach to data protection so each organization needs to examine whether it needs a DPO, it’s important to note a DPO can be full or part-time, internal or external. Should an organization decide not to hire a DPO it should maintain a record detailing how it arrived at that decision.

The size and the structure of an organization do not exclude it from obligations set out in the GDPR. If a company irrespective of its size is processing special categories of data, there is an obligation for a DPO. The nature of the data that is processed by an organization is one key determinant of whether that they employ a professional who will be an advocate for the protection of individual’s privacy. Moreover, the GDPR encourages associations and sectors to develop their own codes about best practice in the area of data privacy. In the near future, it seems likely that the small business sector or specific industries will develop their own guidelines on best practice and these may include some references to the employment of an officer to protect individual’s data.

The reality is that many organizations and small businesses already have individuals who are DPOs and who seek to ensure that their organization is one that protects the privacy of individuals whose data they collect and process, even if it is not their core role. Small enterprises need to ensure that as per the GDPR guidelines that any DPOs are trained and have the expertise required to ensure an organization is in compliance with the regulations. They will also have to provide their details to the supervisory agency and they need to be granted more autonomy so that they can effectively advocate for the privacy rights of individuals. They will have to have a contract that is different from that of other employees and contractors. They need to be protected from sanctions and internal disciplinary measures that could threaten their ability to be an advocate for the data subject.

However, many small organizations and companies do not process data of a personal nature and despite some safeguards regarding employee data do not need a DPO. However, even they are impacted by the GDPR, as they need to demonstrate that they do not require a DPO. It is recommended that the management of a company (controllers) need to conduct an internal analysis which will determine if they require a DPO. This will identify the nature of the data that is processed and if it is currently being managed appropriately. This analysis needs to be thorough and shows that the organization does not process and monitor the personal data of individuals, including employees. This could be significant later to show that the business is not in breach of GDPR rules in relation to a DPO.

Wider Privacy Awareness

To conclude, the new GDPR regulations are going to result in wider awareness around privacy and this means that more and more organisations will need to avail of the services of a DPO, even though it appears that most small businesses will not need to appoint an-house DPO. It is important that every small business conducts an analysis against the requirement that they may need to retain a DPO. Where they process personal data in significant volumes they may need a DPO, either an employee or a contractor. Many small businesses have a DPO and it is important that they are skilled and experience and that they meet the criteria set down in the EU regulations. Failure to do so could have negative consequences for a company. Simply having a DPO is not enough they need to have the core competencies. Furthermore, small companies may need an employee dedicated to data protection so that they can conform to best practice in their area or sector, even where this person is not a full time DPO. These requirements are challenging for many small worldwide organizations and enterprises, but they are necessary as awareness of Privacy rights increases and data protection may even become a key differentiator between organizations and small businesses.

Author Profile: Michael Cryan, DPO, GDPR Specialist
Michael Cryan is ComplianceJunction’s subject matter expert for GDPR. Michael is responsible for tracking the evolution of GDPR as the new regulation is interpreted and implemented, including tracking case law as it evolves. Michael has 18 years of International experience and is trilingual. Michael Cryan is a certified Data Protection Officer (DPO) with the Association of Compliance Officers in Ireland (ACOI). Michael has also prepared a training module on GDPR and has in the past delivered training courses in Ireland, the UK, Canada, and France.