Data protection officer
Data protection officer

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Data protection officer
  • Mandatory appointment of a DPO
  • Public tasks carried out by non-public bodies
  • Core activities
  • Regular and systematic monitoring
  • Large scale
  • Local law requirements
  • Voluntary appointment of a DPO
  • Who should be the DPO
  • Qualifications and expertise
  • More...

Data protection officer

This document reflects the UK GDPR regime. References and links to the GDPR refer to the UK GDPR (Retained Regulation (EU) 2016/679) unless expressly stated otherwise.

Under the UK General Data Protection Regulation (UK GDPR), certain organisations are required to appoint an individual to act as their data protection officer (DPO). This Practice Note sets out when organisations must appoint a DPO to comply with the UK GDPR and the pros and cons of voluntarily appointing a DPO. It also considers who should be the organisation’s DPO, the duties of the DPO and the risk of conflicts of interest. It should be read in conjunction with: DPO appointment decision tree.

This Practice Note is based on the UK GDPR, guidance issued by the Information Commissioner’s Office (ICO) and guidelines on DPOs published by the Article 29 Data Protection Working Party and subsequently endorsed by the European Data Protection Board (EDPB) (EDPB guidance). Although EDPB guidance is no longer directly relevant to, or binding under the UK regime, the ICO has confirmed it may still provide helpful guidance on certain issues.

Mandatory appointment of a DPO

A data controller or processor must appoint a DPO where any of the following apply:

  1. the processing is carried out by a public authority or body, other than a court acting in its judicial capacity

  2. the core activities of the controller

Related documents:

Popular documents