0330 332 6262 | email@example.com
Does My Business Need a GDPR Officer?
Not all businesses will require a data protection officer. There are three main criteria around the requirement to appoint a GDPR officer:
- Where data processing is carried out by a public authority or body;
- Where the main data processing operation is regular, systematic and on a “large scale”;
- Where any data processing relates to special categories of data such as those relating to criminal convictions or offenses
The above requirements apply to both controllers and processors of data.
It is important to be clear whether the data processing is a key part of the organisation’s activities, for instance a hospital’s main activity is the provision of health care, which involves patient health records (personal data), so they would certainly require a DPO. A company processing data for payroll or employment purposes are not collecting data as a main part of their job, so they would not require a DPO. If you are at all unsure, it is certainly worth taking a look at our GDPR services, where we can advise you on the best course of action to take and whether your organisation would require the DPO to be appointed or not.