GDPR · Regulatory article
Your company has not appointed a DPO. Can you justify that decision?
It is not enough to ask whether the company is large. It is necessary to understand what it processes, how and why.
When DPO appointment is mandatory
Article 37 GDPR points to public authorities, large-scale regular and systematic monitoring, and large-scale processing of sensitive or criminal data.
The common mistake
“We are an SME” does not settle the issue. Core activities, scale, monitoring and the nature of the data processed are what matter.
Accountability
Not appointing a DPO may be legitimate, but the organisation should be able to demonstrate the analysis and defend the decision made.