The rise of the Data Protection Officer

“The GDPR requires that an entity appoint a Data Protection Officer if they are:

  • A public authority

  • An organisation which carries out large scale monitoring of individuals, such as online behavioural tracking

  • An organisation which carries out large scale processing of special categories of data or the processing of criminal offences.

The GDPR defines special categories of data as personal data that reveal the following about an individual:

  • Racial or ethnic origin

  • Health conditions

  • Sexual activities

  • Sexual orientation

  • Political views

  • Membership of a trade union

  • Genetic or biometric data

  • Religious or philosophical beliefs.

If you process any of theses categories of data on a large scale, then you are required to appoint a Data Protection Officer. 

The one caveat on this, is that as of this point, September 2017, there is no clarification as to how large scale will be categorised. Data protection specialists, including myself, are awaiting guidance from the ICO as to how this will be classified. 

However, regardless of the boundaries that the ICO decide upon, my advice would be - if you are an organisation that would suffer greatly from a breach, in terms of fines, or repetitional damage, then you should consider appointing a designated Data Protection Officer. It is safer for you and your customers to have someone with the appropriate expertise ensuring your compliance obligations are being met on an ongoing basis.

If you want to here more about how Briefed can help you on your journey to GDPR compliance, please visit”.