The European Union’s General Data Protection Regulation (GDPR) requires that a company appoint a data protection officer (DPO) when one of three criteria is met:
- The organization is a public authority or body;
- The core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
Do these DPOs need to be a position on their own? Or can someone in the compliance department add the responsibility to his or her plate?
