It is saying that I MAY not have to appoint a DPO, depending on various criteria... but then when you go to look at what that criteria is, it merely tells you:
---
What does ‘regular and systematic monitoring of data subjects on a large scale’ mean?
There are two key elements to this condition requiring you to appoint a DPO. Although the UK GDPR does not define ‘regular and systematic monitoring’ or ‘large scale’, the Article 29 Working Party (WP29) provided some guidance on these terms in its guidelines on DPOs. WP29 has been replaced by the European Data Protection Board (EDPB) which has endorsed these guidelines. Although these guidelines relate to the EU version of the GDPR, they are also a useful resource for understanding the requirements of the UK GDPR.
‘Regular and systematic’ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising.
When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
the numbers of data subjects concerned;
the volume of personal data being processed;
the range of different data items being processed;
the geographical extent of the activity; and
the duration or permanence of the processing activity.
---
So neither does this page, nor the law (according to this page itself) or any other guidance I have found, define what "a large scale" means. It gives some really squishy criteria, and then leaves it up to the DPA to fine whoever they want to, because they refuse to define anything in concrete terms. No one except commenters on Hacker News can possibly know whether or not they are in compliance.
--- What does ‘regular and systematic monitoring of data subjects on a large scale’ mean?
There are two key elements to this condition requiring you to appoint a DPO. Although the UK GDPR does not define ‘regular and systematic monitoring’ or ‘large scale’, the Article 29 Working Party (WP29) provided some guidance on these terms in its guidelines on DPOs. WP29 has been replaced by the European Data Protection Board (EDPB) which has endorsed these guidelines. Although these guidelines relate to the EU version of the GDPR, they are also a useful resource for understanding the requirements of the UK GDPR.
‘Regular and systematic’ monitoring of data subjects includes all forms of tracking and profiling, both online and offline. An example of this is for the purposes of behavioural advertising.
When determining if processing is on a large scale, the guidelines say you should take the following factors into consideration:
---So neither does this page, nor the law (according to this page itself) or any other guidance I have found, define what "a large scale" means. It gives some really squishy criteria, and then leaves it up to the DPA to fine whoever they want to, because they refuse to define anything in concrete terms. No one except commenters on Hacker News can possibly know whether or not they are in compliance.