The short answer is a designated Data Protection Officer (DPO) is not mandatory for all organizations.
Which of course begs the question “What organizations do require one?”
A DPO is mandatory wherever the data processing is carried out by a public authority or a company (controller or processor) whose core activities consist of processing operations which require regular and systematic monitoring of data subjects.
A DPO is also mandatory when certain thresholds are exceeded. For example, the Commission requires any organization with more than 250 employees to have a DPO. However, Parlaiment requires an organization that processes over 5000 personal data records in a 12 month period to have a DPO.
Your organization may find that appointing a DPO is a practical way to make sure GDPR requirements are met. So even where one isn’t required, it may make GDPR compliance easier if data protection is assigned to a single individual with appropriate authority.
Like virtual CISOs, a DPO can be outsourced; it’s not mandatory that the DPO be an employee of the company.
The Council defers to the EU or member state law with respect to DPO requirements. Since member states have varying perspectives on this topic, it’s going to be up to the Council to try to find a universally accepted metric.
The Commission, Parliament and the Council? These are all important EU-level stakeholders behind GDPR. More information about each and what their roles and responsibilities are can be found here:
- European Union Commission: https://ec.europa.eu/
- European Union Parliament: https://europa.eu/european-union/about-eu/institutions-bodies/european-parliament_en
- European Union Council: https://europa.eu/european-union/about-eu/institutions-bodies/council-eu_en
Sera-Brynn is ready to help with your GDPR compliance goals. Contact us today if you’d like to learn more about how we can assist.