GDPR compliance—data protection officer
GDPR compliance—data protection officer

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—data protection officer
  • Mandatory appointment of a DPO
  • Voluntary appointment of a DPO
  • Organisations that already have a voluntary DPO
  • Who should be the DPO
  • Protected status of DPO
  • Tasks of the DPO under GDPR
  • DPO liability
  • Other tasks and duties
  • Tasks and duties of the controller/processor on appointing a DPO

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

Under Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), certain organisations are required to appoint an individual to act as their data protection officer (DPO). The concept of the DPO is not new however. Many organisations have appointed an individual with this job title and in some jurisdictions DPOs are a legal requirement in certain circumstances under local law.

This Practice Note sets out when organisations must appoint a data protection officer (DPO) to comply with the GDPR and the pros and cons of voluntarily appointing a DPO. It also considers who should be the organisation’s DPO, the duties of the DPO and the risk of conflicts of interest. It should be read in conjunction with: GDPR compliance—DPO appointment decision tree.

This Practice Note is based on the final text of the GDPR and guidance on DPOs published by

Related documents: