The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: What Does “Large Scale” Mean When Determining Whether A Data Protection Officer Is Necessary
Answer: The term “large scale” is not defined in the GDPR, however the European Union’s Article 29 Working Party – an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority – has issued some guidance in this respect. The Working Party recommends looking at the following factors, when determining whether the processing is carried out on a “large scale:”
Thus, processing may be on a large scale where it involves a wide range or large volume of personal data, where it occurs over a large geographical area, where a large number of individuals are affected, or where it is extensive or has long-lasting effects.
Furthermore, the Article 29 Working Party has provided the following examples of large-scale processing:
1. WP 243: Guidelines on Data Protection Officers (Apr. 5, 2017).