What’s a DPO and does my business need one?



A ‘DPO’, or Data Protection Officer is the person in a business who has been appointed to deal with all data privacy related matters.  Under the current Data Protection Act there are no mandatory requirements to appoint a DPO, although some businesses that process a high volume of data may have someone in that role already.

There has been a lot of confusion over the last few months about whether the implementation of GDPR [1] (on 25th May 2018) or the introduction of the Data Protection Bill 2017 means that businesses do now have to appoint a DPO.  The answer to that question is, no, not all businesses need to appoint a DPO BUT that doesn’t necessarily mean that it’s not in your business’ best interest to have someone who is solely responsible for data privacy matters.


The GDPR requirements are set out in Article 37: –

“The controller and the processor shall designate a data protection officer in any case where:

  1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

  2. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

  3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”

GDPR also points out that it is ‘entirely reasonable’ to share a DPO with other organisations.  The role could also be performed by a current employee alongside their existing duties.

The Data Protection Bill

The Data Protection Bill [2] will introduce GDPR into UK legislation, only necessary because of Brexit (GDPR is a Regulation so applies to all member states without the need for domestic legislation).  The Bill will cover GDPR which applies to ‘general processing’, but also the Law Enforcement Directive [3] which must be transposed into domestic law by 6th May 2018.  Finally, the Bill also covers processing for National Security, currently not covered by either GDPR or the Law Enforcement Directive.

Under the Bill, the GDPR requirements around DPOs will stand and the only addition is in Part 4, chapter 3 which relates to law enforcement processing:

“-s69(1) The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.”[4]

Best Practice

Whilst you may not be under a mandatory requirement to appoint a DPO, it is considered best practice to appoint someone to be responsible for data privacy matters.  With GDPR, the Data Protection Bill and then proposed changes in respect of E-Privacy, the importance data privacy and protection is not going to diminish any time soon.  After all, it’s not a case of simply ticking a box that says you are compliant with the legislation.  The concept of privacy by design is now a requirement of GDPR, and teamed with the requirements to demonstrate ongoing accountability, it’s important to have a data protection ‘champion’ within your business to ensure that privacy, data protection and data subjects rights remain in the forefront of everyone’s minds.

Get in touch

For more information about data protection compliance, simply get in touch with one of our experts today.

[1] General Data Protection Regulation (GDPR) Regulation (EU) 2016/679)

[2] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf

[3] DIRECTIVE (EU) 2016/680

[4] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf, Part 4, Chapter 3, Section 69(1)


Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch
Previous slide
Next slide