Who Needs to Appoint a Data Protection Officer?
At a Glance…
- A DPO is mandatory under the GDPR for organisations engaged in large-scale monitoring, those processing special category or criminal data, or public authorities
- Voluntary appointments are encouraged for organisations wanting to demonstrate accountability and strengthen their data protection practices
- Outsourcing a DPO is a practical solution for many businesses, offering flexibility and compliance support without the burden of internal resourcing
Not sure if you need a DPO? Find out with the ICO.
Safeguarding personal information isn’t just “good practice” - it’s the law. Under the General Data Protection Regulation (GDPR), certain organisations are required to appoint a dedicated Data Protection Officer (DPO) to oversee compliance, manage risk, and act as the point of contact with the Information Commissioner’s Office (ICO) for UK GDPR. Under the EU GDPR, the DPO is the point of contact for each member country's own relevant supervisory authority.
But who exactly is required to appoint a DPO? Whether you’re a public body, a company processing large-scale sensitive data, or a business whose core activities hinge on monitoring individuals, understanding when and why to designate a DPO is critical for data protection compliance.
Contents
- Mandatory Appointments of a DPO
- Voluntary Appointments of a DPO
- Can the DPO Be an Existing Employee?
- Can You Share a DPO With Other Organisations?
- Can You Have Multiple DPOs?
- Can You Outsource a DPO?
Mandatory Appointments of a DPO
Under the EU and UK GDPR, certain organisations MUST appoint a DPO as a legal requirement. These include:
- Organisations Carrying Out Large-Scale, Regular, and Systematic Monitoring
Businesses whose core activities involve profiling or tracking individuals on a large scale are required to appoint a DPO. This would include organisations such as:- Major online platforms
- Advertising networks
- Telecom providers
- Organisations Which Process Large Amounts of Personal Data
Businesses which store or process large amounts of sensitive or identifying information (known as “special category data”) must appoint a DPO, such as:- Insurance companies
- Cloud storage providers
- Banking organisations
- Public Authorities and Bodies
Any government department, local authority, police force, NHS trust, or other public-sector organisation processing personal data must designate a DPO to oversee compliance.
Note: SMEs are not exempt if their operations fall into any of the above categories.
|
Type of Organisation |
Why a DPO Is Required |
Examples |
|---|---|---|
|
Large‐scale, regular & systematic monitoring |
Core activities involve regular and systematic monitoring of individuals on a large scale (e.g. profiling, behavioural tracking). |
Marketing analytics firms, companies which conduct online behavioural profiling, and companies which are required to use CCTV as a legal requirement or condition of their operation. |
|
Large‐scale processing of special category data |
Core activities consist of large‐scale processing of special category data (health, race, religion, biometrics, etc.). |
Hospitals and clinics, insurance companies processing health data, and biotech labs. |
|
Large‐scale processing of criminal offence data |
Core activities involve large‐scale processing of criminal convictions or offence data. |
Law enforcement agencies, background‑check providers, and rehabilitation charities. |
|
Public authorities or bodies |
All public authorities or bodies, except courts acting in judicial capacity. |
Central government departments, local councils, and NHS trusts. |
Voluntary Appointments of a DPO
Even when an organisation doesn’t meet these strict criteria, the ICO recommends that appointing a DPO - or at a minimum a dedicated GDPR manager - is “good practice.” This voluntary step can help smaller companies embed privacy by design and signal to customers and regulators that data protection is thoroughly considered. In short, a DPO isn’t just a compliance box to tick; they are a strategic asset in managing risk within the organisation and building trust with customers.
Can the DPO Be an Existing Employee?
Yes, you can appoint an existing employee as your DPO - provided they have the correct expertise, their current duties align with the DPO role, and they present no conflict of interest. For information about the qualities and experience of a DPO, please read our related article.
Enforcement Spotlight: DPO Conflict of Interest Leads to Fine
In 2020, the Belgian Data Protection Authority (APD or GBA) fined an organisation €50,000 for appointing the director responsible for audit, risk, and compliance as the Data Protection Officer. The organisation lacked policies that would prevent conflicts of interest, which undermined the DPO's independence, demonstrating the importance of ensuring the DPO role is free from conflicts.
Can You Share a DPO With Other Organisations?
You can appoint one Data Protection Officer to serve a group of companies or public bodies - but only if they can effectively cover all entities, given their size and complexity. This means you should ensure they have the resources - in terms of information available to them and colleagues to assist them - to fulfil their duties. Their contact details must be easy for employees, the ICO, and data subjects to find.
Can You Have Multiple DPOs?
The UK GDPR requires you to appoint one individual as your DPO, but you can also build a supporting data protection team. Choose the structure that works best for your organisation, ensuring one person is officially designated as DPO. If you have additional specialists, define each team member’s role and relationship to the DPO, and never label anyone other than the designated individual as “the DPO”.
Can You Outsource a DPO?
Yes, you can outsource the DPO role to an external expert or consultancy, provided they possess the requisite expertise in data protection law and practice. Outsourcing can be cost effective for smaller organisations, those wanting to ensure compliance, or those lacking in house expertise. It will still meet GDPR requirements as long as the appointed service is independent, adequately resourced, and has direct access to senior management. However, you must ensure you document the arrangement and ensure clear lines of communication and responsibility.
Cost-Efficient Compliance Through Outsourced DPO Services
Finding a high-quality DPO is a challenge for many organisations, especially those that face resource and time limitations. By outsourcing the role of a DPO to Data Driven Legal, we can ensure that you only pay for the work that you receive, allowing you to prioritise other areas of your business.
If you’re uncertain about your DPO obligations, please book a 30-minute meeting with a member of our team. Alternatively, you can contact us today to learn more about our outsourced DPO services.
