Data protection officer—law firms
Data protection officer—law firms

The following Practice Compliance practice note provides comprehensive and up to date legal information covering:

  • Data protection officer—law firms
  • Mandatory appointment of a DPO
  • Core activities
  • Regular and systematic monitoring
  • Large scale
  • Issues for law firms
  • Voluntary appointment of a DPO
  • Who should be the DPO
  • Qualifications and expertise
  • Who shouldn’t be the DPO
  • More...

This document reflects the UK GDPR regime. References and links to the GDPR refer to the UK GDPR (Retained Regulation (EU) 2016/679) unless expressly stated otherwise.

Under the UK General Data Protection Regulation (UK GDPR), certain firms are required to appoint an individual to act as their data protection officer (DPO).

This Practice Note sets out when firms must appoint a DPO to comply with the UK GDPR and the pros and cons of voluntarily appointing a DPO. It also considers who should be the firm’s DPO, the duties of the DPO and the risk of conflicts of interest. It should be read in conjunction with flowchart: DPO appointment decision tree.

This Practice Note is based on the UK GDPR, guidance issued by the Information Commissioner’s Office (ICO), guidelines on DPOs published by the Article 29 Data Protection Working Party and subsequently endorsed by the European Data Protection Board (EDPB) (EDPB guidance) and the Law Society’s guidance for solicitors in law firms (Law Society guidance). Although EDPB guidance is no longer directly relevant to, or binding under the UK regime, the ICO has confirmed it may still provide helpful guidance on certain issues.

Mandatory appointment of a DPO

A data controller or processor must appoint a DPO where any of the following apply:

  1. the processing is carried out by a public authority or body, other than a court

Related documents:

Popular documents