I’m
increasingly asked whether particular firms actually need to appoint a Data
Protection Officer in order to comply with the requirements of the GDPR. Given
that the potential fine for non-compliance (with Article 37) is €10 million
Euros or up to 2% of the total worldwide annual turnover, companies quite
understandably don't want to get such a basic issue wrong. Many firms that are
basically B2B firms, who mainly process personal data for HR purposes, don't want
to goldplate their privacy compliance programmes (to the extent they have any)
by taking unnecessary action.
The
Article 29 Working Party published an opinion on this subject last December. To
be frank, it’s only somewhat helpful.
With
regard to the private sector, firms that - as a core activity - monitor
individuals systematically and on a large scale, or that process special
categories of personal data on a large scale, must appoint a DPO.
The meaning of “core activity” has been set out in Recital 97. This relates to ‘primary activities and do not relate to the processing of personal data as ancillary activities’. The A29WP opines that “all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.”
So, it would appear that the GDPR does not require firms that simply process personal data for HR purposes to appoint a DPO.
But what about, say, the customer data that's processed by firms – particularly by those in the B2B sector? How much (personal) customer data needs to be processed before the threshold for appointing a DPO is reached?
To answer this question, I’ve looked at the A29WP’s guidance on the meaning of the term “large scale”. Firms that don't process such data on a large scale don’t need to appoint a DPO. Unfortunately, the guidance (and the GDPR) is sketchy on what the term actually means.
Recital 91 explains, in the context of Data Protection Impact Assessments, that “large-scale processing operations” include those “which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk’ to individuals. On the other hand, the recital specifically provides that ‘the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer”.
So, the test appears to focus on the size of the firm, as well as the amount of personal data that is being processed. Accordingly, some types of SMEs – the smaller ones - will not be required to appoint a DPO. This is important, as SMEs account for more than 99% of all UK businesses.
Unfortunately,
there is one very large fundamental problem with the SME sector. That problem is that even within the UK
government, there is no single definition of what a small or a medium
enterprise is.
According
to The Company Warehouse, for the purpose of Research and Development Tax
Relief, HMRC defines an SME as a business with not more than 500 employees and
an annual turnover not exceeding £100 million.
However,
the rest of the UK government does not use this definition.
For
the purposes of collecting statistics, the Department of Business, Innovation
& Skills defines SMEs as companies with less than 250 employees.
For
accounting purposes, Companies House defines a small business as employing less
than 50 people and a turnover under £6.5 million and a medium business as less
than 250 employees and a turnover under £25.9 million.
To
further complicate things other parts of the UK government use the EU
definition of an SME:
- Micro Business = less than 10 employees & turnover under £2 million
- Small Business = less than 50 employees & turnover under £10 million
- Medium Business = Less than 250 employees & turnover under £50 million
So
depending on which definition you use, an SME could have anywhere between 50
and 500 employees and have a turnover between £6.5 million and £50 million.
One
way to encourage SMEs to comply with the GDPR must involve coming up with an
easier definition of when they must appoint a Data Protection Officer.
Sources:
http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pd
http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pd
https://www.thecompanywarehouse.co.uk/blog/2012/07/31/what-is-an-sme/
.
Posts
