When Do I Need A DPO, and What Does A DPO Do?

Data Protection Officers play integral roles when maintaining data protection compliance for many organisations. We explore if you need a DPO for your business.

When do I need a Data Protection Officer (DPO)?

Your organisation will have a duty to appoint a data protection officer under the UK GDPR if you are a public authority/body, or if you carry out certain types of processing activities. If you are not a public body/authority, you will need to appoint a DPO when:

 

  1. your core activities (if you need to process personal data to achieve your key objectives) consist of processing activities, and these processing activities require the systematic monitoring of individuals on a large scale; or
  2. your core activities consist of processing special category data or data relating to criminal convictions/offences at a large scale.

Regular and systematic monitoring on a large scale

 

Although there is no set definition in legislation, there are guidelines that suggest this consists of all forms of tracking and profiling, whether online or offline. When considering whether the processing is large scale, you will need to consider various factors and not just the numbers of data subjects whose personal data is being processed (although this is still a factor to consider), including:

 

  1. the volume of personal data being processed;
  2. the range of different data items;
  3. the geographical extent of the activity; and
  4. the duration or permanence of the processing.

Large scale processing of special category data and criminal convictions and offences data

 

This processing carries a higher risk and therefore you are required to appoint a DPO who can assist your organisation when making decisions surrounding these processing activities. In order to determine if the processing is large scale, your organisation should consider the factors mentioned above.

What does a DPO do?

 

Under Article 37 of the GDPR, a DPO should be appointed on the basis of their professional qualities with particular regard to their experience and knowledge of data protection law. 

 

Article 39 of the GDPR outlines the tasks of the DPO to include:

  • Informing and advising an organisation and their employees about the obligations to comply with UK data protection laws.
  • Monitoring compliance with the GDPR and other data protection laws.
  • Managing internal data protection activities and policies, raising awareness of data protection issues, training staff and conducting internal audits to monitor compliance.
  • To advise when a data protection impact assessment (DPIA) should be completed and to monitor their completion.
  • To cooperate and act as the organisation’s point of contact for the ICO.
  • To act as the organisations’ point of contact for individuals whose data is being processed.

 

A DPO’s tasks are not just those contained under Article 39 as they are also required to consider the risk of the processing and put their focus onto the higher risk processing activities of the organisation. 


It is important to note that although a DPO is assigned to assist in an organisation’s data protection compliance, the DPO is not personally responsible or liable if something goes wrong, that onus still lies with the organisation as the data controller or data processor. In addition, if you or your organisation chooses to not follow the advice then the reasoning behind this decision should be documented to demonstrate the organisation’s accountability.

Key take-aways

 

DPOs have a wide range of tasks in order to help your organisation maintain compliance with data protection laws and you should have a DPO appointed if you are a public authority, the processing is systematically monitoring on a large scale, or the processing is processing special category/criminal data at a large scale.

How can DPAS help?

 

Here at DPAS we offer a range of DPO services, including an outsourced DPO service to help give you more peace of mind. 


If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or fill in a contact form and we’ll get in touch with you.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation