The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: When would a law firm be required to appoint a Data Protection Officer?

Answer: companies – including law firms –are only required to appoint a Data Protection Officer in the following two situations:

1. The “core activities” of the firm consist of the “systematic monitoring” of people on a “large scale.”¹
2. The “core activities” of the firm consist of processing “special categories of data” on a “large scale.”  For the purposes of appointing a Data Protection Officer this includes the following types of data: racial origin, ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic data, biometric data (if used for identifying a person), health data, data relating to an individual’s sex life, data relating to an individual’s sexual orientation, or data relating to criminal convictions and offenses.²

If neither of the above situations applies to a law firm it is not required to have a Data Protection Officer under the GDPR. 

As a practical matter, few (if any) law firms are likely to engage in systematic monitoring of people.  Most law firms also would not be expected to engage in processing special categories of data on a large scale.  There may be situations, however, in which a law firm does engage in such activity.  For example, if litigation in which the law firm was involved required the firm to collect data about the health of hundreds of thousands of individuals (e.g., in a medical product liability class action) it is possible that the firm may be engaging in the processing on a large scale of special categories of information. There would still remain uncertainty, however, whether a supervisory authority would view such processing as a “core activity” of the law firm or as an ancillary activity that related to the larger activity surrounding the litigation. 

It is worth noting that while the GDPR may not require that a firm retain a Data Protection Officer, some Member States (i.e., Germany) may impose such a requirement under their domestic data privacy laws.

1. GDPR, Article 37(1)(b).  See also WP 243 Annex—Frequently Asked Questions.

2. GDPR, Articles 9, 10, 37(1)(c).  See also WP 243 Annex—Frequently Asked Questions.

[View source.]