Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

GDPR: Do You Have to Hire a DPO?

I suspect right about now that EU (and US) companies affected by the General Data Protection Regulation (GDPR) are starting to look more closely at their compliance project schedules. With...
Michael Buckbee
3 min read
Published January 11, 2017
Last updated October 21, 2021

I suspect right about now that EU (and US) companies affected by the General Data Protection Regulation (GDPR) are starting to look more closely at their compliance project schedules. With enforcement set to begin in May 2018, the GDPR-era will shortly be upon us.

One of the many questions that have not been full answered by this new law (and still being worked out by the regulators) is under what circumstances a company needs to hire a data protection officer (DPO).

Get the Free Essential Guide to US Data Protection Compliance and Regulations

There are three scenarios mentioned in the GDPR (see article 37) where a DPO is mandatory: the core activities involve the processing of personal data by a public authority; the core activities involve “regular and systematic monitoring of data subjects on a large scale”; or the core activities require large-scale processing of special data—for example, biometric, genetic, geo-location, and more.

Companies falling into the second category, which I think covers the largest share, are probably pondering what is meant by “regular and systematic monitoring” and “large-scale”.

As a non-legal person, I even noticed these provisions were a bit foggy.

A few months ago, I asked GPDR legal specialist Bret Cohen at Hogan Lovells about what the heck was meant.

Cohen’s answer was that, well, we’ll have to wait for more guidance from the regulators.

And Thus Spoke the Article 29 Working Party

No, the Article 29 Working Party (WP29) is not the name of a new Netflix series, but will, under the GDPR, become a kind of super data protection authority (DPA) providing advice and insuring consistency between all the national DPAs.

Anyway, last month the WP29 published a guidance addressing the confusing criteria for DPOs.

And after reading it, I suppose, I’m still a little confused.

For those of us who were following the GDPR and watching how this legal sausage was made, the DPO was one of the more contentious provisions.

There were differences of opinion on whether a DPO should be mandatory or optional and on the threshold requirements for having one in the first place. Some were arguing that it should be the number of employees (250) of a company and others, the number of records of personal data processed (500).

The parties — EU Commission, Parliament, and Council — finally settled on DPOs being mandatory but they removed specific numbers. And so we’re left with this vague language.

The new guidance provides some clarification.

According to the WP29, “regular and systematic” means, in human-speak, a pre-arranged plan that’s carried out repeatedly over time.

So far, so good.

What does “large scale” mean?

For me, this is the more interesting question. The WP29 said the following factors need to be taken into consideration:

  • The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

We’re All Monitoring Web Behavior

You can kind of see what the law makers were grappling with in the list of factors. But it’s still a little muddy.

Obviously, an insurance company, bank, or retailer that collects personal data from millions of customers would require a DPO.

However, a small web start-up with a few employees can be also engaged in large-scale monitoring.

How?

Suppose their free web app is being accessed by tens or hundreds of thousands of visitors per month. The startup’s site may not be collecting personal data or very minimal personal data other than tracking browser activity with cookies or by other means.  I use plenty of freebie sites this way — especially news sites — and the advertising I see reflects their knowledge of me.

But according to the guidance and other language in the GDPR, monitoring of web behavior would be a type of “monitoring” that’s mentioned in the DPO provisions.

I could be mistaken but it seems to me that any company with a website that receives a reasonable amount of traffic would be required to have a DPO.  And this would include lots of B2Bs that don’t necessarily have a large customer base compared to a consumer company.
It’s a confusing point that I’m hoping to get resolved by our attorney friends.

In the meantime, more explanation on this somewhat wonkish, but important topic, can be found here by the brilliant people over at the IAPP.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

do-your-gdpr-homework-and-lower-your-chance-of-fines
Do Your GDPR Homework and Lower Your Chance of Fines
Advice that was helpful during your school days is also relevant when it comes to complying with the General Data Protection Regulation (GDPR): do your homework because it counts for...
gdpr:-pseudonymization-as-an-alternative-to-encryption
GDPR: Pseudonymization as an Alternative to Encryption
Have I mentioned lately that the General Data Protection Regulation (GDPR) is a complicated law? Sure, there are some underlying principles, such as Privacy by Design (PbD) and other ideas,...
frequently-asked-questions-(faq):-gdpr-and-hr/employee-data
Frequently Asked Questions (FAQ): GDPR and HR/Employee Data
As I wrote in another post, HR records are considered personal data and covered under the General Data Protection Regulation (GDPR). Since I keep on hearing from people who should...
another-gdpr-gotcha:-hr-and-employee-data
Another GDPR Gotcha: HR and Employee Data
Have I mentioned recently that if you’re following the usual data security standards (NIST, CIS Critical Security Controls, PCI DSS, ISO 27001) or common sense infosec principles (PbD), you shouldn’t...