Under UK GDPR, Public Authorities or Bodies, as well as businesses carrying out certain processes are required to appoint a Data Protection Officer (DPO). This article will explain why you need a DPO and what a DPO does for your organisation.

Are we required to have a DPO?

As stated above, UK GDPR law requires Public Authorities or Bodies and businesses carrying out certain processes to appoint a DPO. According to the ICO, the types of activities that would require a business to appoint a DPO are ones where your operations require “large scale, regular and systematic monitoring of individuals”, or if your “core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.” If you are unsure on whether your organisation may fall under the scope which would require you to appoint a DPO, more information on this can be found on the ICO’s website, using the link at the bottom of this article.

Even if you are not required to have a DPO however, you can still appoint one. In addition to this, despite your organisation not being required to have  a DPO, you still have obligations under GDPR and must ensure that your organisation is being compliant with the relevant legislation. Therefore appointing a DPO despite not being required to have one under GDPR can be beneficial to your organisation, as they can ensure you are operating within the law and monitor compliance.

What are the DPO’s tasks and responsibilities?

As outlined in our FAQs regarding DPO’s, a Data Protection Officer is responsible for the following tasks;

1. Provide advice to an organisation about their responsibilities.
2. Monitor compliance with the law.
3. Advise on data protection impact assessments.
4. Cooperate with the ICO.
5. Be a point of contact for data subjects.

As outlined by the ICO, a Data Protection Officer must be given the independence to perform their tasks adequately, and report to the highest level of management. You also must involve your DPO in all matters that concern the protection of personal data, and this must be done in a timely manner.

The ICO also lists a number of tasks the DPO carries out. The Data Protection Officer’s main overarching responsibility is to ensure that your organisation is being compliant with UK GDPR, as well as all other relevant legislation and policies. They also provide training and generally emphasise the importance of data protection and its compliance. 

Who can be our DPO?

A DPO can also have other duties/tasks outside of the ones listed above, so long as they do not cause a conflict of interest with their primary tasks. According to the ICO, this means that the “DPO cannot hold a position within your organisation that leads him or her to determine the purposes and the means of the processing of personal data.” Therefore, whilst you are permitted to appoint an existing employee as DPO, it can be easier to ensure the DPO is carrying out their tasks and therefore your organisation being GDPR compliant if your DPO comes from outside the organisation. 

How do we support our DPO?

Once you appoint a DPO, you must also ensure that you are supporting them so that they can fulfil their duties properly. The ICO lists 8 ways that you must support your DPO. They are as follows:

• The DPO must be involved, closely and in a timely manner, in all data protection matters;
• The DPO must report to the highest management level of your organisation, ie board level;
• The DPO must operate independently and must not be dismissed or penalised for performing their tasks;
• You must provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their UK GDPR obligations, and to maintain their expert level of knowledge;
• You must give the DPO appropriate access to personal data and processing activities;
• You must give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information; and
• You record the details of your DPO as part of your records of processing activities.

As you can hopefully see, your Data Protection Officer plays a vital role in your organisation, and it is important that they are given the right platform to carry out their duties to the fullest capacity in line with UK GDPR. More information regarding DPOs can be found on the ICO website, using the following link:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/

We hope this article has helped you understand what a Data Protection Officer is, why you may need one and what their obligations are. If you would like to contact us with any questions you may have, please do not hesitate to contact us by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it..