Data Protection Act 2018
Designation of data protection officer
34. (1) The Minister may, following consultation with such other Minister of the Government as he or she considers appropriate and the Commission, make regulations requiring controllers, processors, associations or other bodies representing categories of controllers or processors to designate a data protection officer in accordance with Article 37(4).
(2) Regulations under subsection (1) may apply to—
(a) one or more than one class of controller,
(b) one or more than one class of processor, or
(c) one or more than one class of association or other body representing categories of controllers or processors.
(3) In making regulations under subsection (1) the Minister shall have regard to the need for the protection of individuals with regard to the processing of their personal data and, without prejudice to the generality of the foregoing, shall have regard in particular to—
(a) the nature, scope, context and purposes of the processing,
(b) risks arising for the rights and freedoms of individuals,
(c) the likelihood and the severity of such risk for the individuals concerned, and
(d) the costs of implementation of any requirement if it were imposed under that subsection.