When do you need a Data Protection Officer?

4 April 2023

GDPR includes a statutory requirement for a Data Protection Officer, or DPO, in the following situations. 


1. the core activities of the organisation involve data processing requiring regular and systematic monitoring of data subjects on a large scale.

For example:

  • operating a telecommunications network or providing telecommunications services;
  • profiling and scoring for purposes of risk assessment (for credit scoring, or to calculate insurance premiums online or detect fraud or money-laundering);
  • location tracking, for example, by mobile apps or online;
  • managing or administering loyalty programmes;
  • tracking for purposes of behavioural advertising;
  • using CCTV;
  • managing or administering connected devices such as smart meters, smart cars, home automation, and so on.


2. the core activities of the organisation involve data processing sensitive personal data on a large scale.  Sensitive data is information about health, sexuality, race or ethnicity, religious or philosophical beliefs, political views, genetic data that identifies an individual, Trade Union membership and biometric data.

For example:

  • providing health-care services, running a pharmacy, optician or similar;
  • fitness monitoring through wearable devices;
  • profiling and scoring for purposes of risk assessment to calculate insurance premiums online;
  • administration of financial services such as life insurance, pensions and personal injury claims management;
  • running health and fitness clubs.
Who can be a Data Protection Officer?

Any person with appropriate experience and understanding of data protection law is a good candidate for the DPO role.

In addition, the individual needs to be sufficiently senior to ensure that their views are heard and given credence at the top level of the organisation. 

The individual appointed can have other duties and responsibilities in the business so long as these do not conflict with the DPO role.  Jobs likely to be in conflict with the DPO role include the Head of HR, Head of IT, CEO or MD and operational directors.

The DPO need not be an employee, the role can be outsourced to a third party.  The role may be undertaken by another firm so long as a designated individual in that firm is tasked with specific responsibility for the role in your organisation.

How is a Data Protection Officer appointed?

The appointment must be made in writing and the name of the DPO registered with the Information Commissioner’s Office.  The online data protection register is set up to accept details at


GDPR includes a list of duties of the DPO so there is a formal framework attaching to the role.  The organisation is also bound to ensure that the DPO has adequate funding, support and independence to undertake the role.

The future of the DPO role in the UK

In the UK it is likely that the requirement to appoint a formal DPO will be relaxed so that the role is non-statutory, with less rigorous control of day to day activities and tasks of the role.  This means that the compliance role will be able to be met by more junior colleagues and those who might be conflicted out of the statutory role (see the Data Protection and Digital Information Bill).  However the Information Commissioner’s Office will still expect organisations to have a compliance control framework in place and to designate a senior member of their team to act as compliance contact with responsibility for data protection.

What we can do to help

We offer a Data Protection Officer service, together a number of other services, which will ensure you have peace of mind, knowing that you have the support of regular, routine compliance checks. Thereby giving you comfort that the compliance role is being fulfilled and that it can be evidenced to regulators and other stakeholders.


Mandy P Webster

3 April 2023