General Data Protection Regulation (GDPR)

Appointing a data protection officer


The General Data Protection Regulation (GDPR) requires some businesses and organisations to designate a data protection officer (DPO).

Do I need a data protection officer?

All public authorities and bodies, including government departments, will need to appoint a DPO. In addition, businesses may need a data protection officer if:

  • you regularly and systematically monitor data subjects on a large scale
  • you process sensitive personal data or data relating to criminal convictions on a large scale

For some businesses, this requirement means that they may need to hire a new member of staff, unless they have someone already in this role. You can appoint someone internally or contract out the role of DPO externally.

If your business carries out public tasks or exercises public authority, it would be best practice to designate a DPO. Even if you aren't required to, you can voluntarily appoint a DPO.

What is a data protection officer responsible for?

A DPO won't be personally liable for compliance, but has to take responsibility for data protection and compliance. They have to have the knowledge, support and authority to do so effectively. They also have to report to senior members of staff, monitor compliance with the GDPR, advise you on your obligations and be a point of contact for employees and customers.

If you are not sure whether you need to appoint a DPO, the Article 29 Working Party recommends carrying out and documenting an assessment. They have published guidelines on DPOs and DPO FAQs.

The Information Commissioner's Office also offers detailed guidance on appointing a DPO.

This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.