If your organization operates in the UK or EU, appointing a DPO isn’t always optional, but knowing when it’s a legal requirement can often be difficult to determine.
One of the key factors is large-scale processing of personal data. However, the General Data Protection Regulation (GDPR) doesn’t offer a precise definition for this, which leaves room for interpretation and can cause confusion.
In this blog, we explain what qualifies as large-scale processing, the criteria for appointing a DPO, and how the rules apply across key sectors.
- When is a DPO legally required?
- What is ‘large scale’ processing?
- Examples of ‘large scale’ processing?
For simplicity, we use ‘GDPR’ to refer to both the EU and UK versions of the General Data Protection Regulation. While the two frameworks are broadly aligned, there are notable differences, particularly around international data transfers.
Recent UK legislation developments, including the Data Use and Access Act 2025, may also affect your organization’s obligations. We recommend seeking advice from a data protection professional to ensure your approach remains compliant and up to date.
When is a DPO legally required?
Under Article 37 of the GDPR, organizations must appoint a DPO if they:
- Are a public authority or body (excluding courts acting in a judicial capacity)
- Regularly and systematically monitor individuals on a large scale as part of their core processing activities
- Process special categories of personal data on a large scale
A DPO can be an internal employee or an external provider. Learn more in our blog, Hiring a Data Protection Officer – Internal vs. Outsourced.
A single DPO may serve multiple organizations, such as a corporate group, public authorities, or associations.
These requirements ensure that organizations engaged in complex or high-risk data processing have independent oversight to support GDPR compliance.
What is ‘large scale’ processing?
The GDPR doesn’t define large-scale processing, but individual regulators provide guidance to help organizations assess their activities.
According to the UK’s Information Commissioner’s Office (ICO), key factors include:
- Number of individuals: Processing data from a significant population
- Volume: Handling large quantities of personal data
- Variety: Processing different types of data
- Frequency and duration: Ongoing or frequent processing
- Geographic reach: Operating across multiple regions or countries
You don’t need to meet all of these to qualify as large-scale, and any combination may apply depending on the context. It’s advisable to consult with a data protection professional to help assess your specific situation.
Examples of ‘large scale’ processing
The following sector-specific examples illustrate what may qualify under the GDPR as large-scale processing:
- Healthcare: A hospital handles various data types, such as medical records, insurance data, and appointment histories for thousands of patients
- Finance: A bank processes account details and transactions for millions of customers
- Technology: A cloud provider stores and manages vast amounts of files, photos, and personal details across multiple countries
- Retail: A clothing chain tracks purchase histories, payment data, and shipping info for millions of customers
- Education: A university processes applications, academic records, financial aid data, and health information for thousands of students
- Charity: An organization manages donor details, donation records, and beneficiary information at scale
Key takeaways
Determining whether your organization conducts large-scale processing is key to understanding if you’re legally required to appoint a Data Protection Officer (DPO) under the GDPR. Public authorities, organizations that systematically monitor individuals, or those processing large volumes of sensitive data typically fall within this requirement.
Assess your obligations by considering factors like the number of data subjects, volume and variety of data, processing frequency, and geographic reach.
Appointing a DPO can strengthen your data protection framework and show a proactive stance on compliance, even if not legally required.
The DPO Centre offers a range of outsourced data protection services, including fractional DPOs and EU/UK Representatives. Contact us to learn how we can help you meet your legal obligations.
____________________________________________________________________________________________________________
In case you missed it…
- How GDPR territorial scope impacts North American Businesses
- Data retention strategies for GDPR compliance
- 5 steps for GDPR-compliant vendor due diligence
____________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
