Data protection officer

Under the UK General Data Protection Regulation (UK GDPR), certain organisations are required to appoint an individual to act as their data protection officer (DPO). Others may choose to appoint a DPO on a voluntary basis. In either case, your firm will need to consider who should be the DPO, what the DPO’s duties will be and what the firm’s obligations are in relation to the DPO.

For information on the circumstances where UK GDPR requires you to appoint a DPO, see Practice Note: Data protection officer—law firms and DPO appointment decision tree.

Voluntary DPOs

You should consider whether to appoint a DPO even where you are not required to. Guidelines on DPOs published by the Article 29 Data Protection Working Party and subsequently endorsed by the European Data Protection Board (EDPB) (EDPB guidance) and Information Commissioner’s Office (ICO) guidance encourage voluntary appointment of a DPO, but with an important caveat—it doesn’t matter whether your DPO’s appointment is voluntary or mandatory, if your firm has a DPO, all the requirements of the UK GDPR relating to DPOs apply—see Practice Note: Data protection officer—law firms—Voluntary

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Practice Compliance News

FATF announces new mutual evaluation framework to strengthen global illicit finance defences

The Financial Action Task Force (FATF) has convened its annual high-level meeting with the nine FATF-Style Regional Bodies (FSRBs) in Strasbourg, announcing the implementation of new mutual evaluations. The Global Network, comprising the FATF and nine FSRBs, representing over 200 jurisdictions, remains committed to combating illicit finance through a unified set of standards and mutual evaluations. The meeting focused on implementing Global Network priorities, particularly preparing members for the upcoming mutual evaluations, which will prioritise effectiveness in tackling money laundering, terrorist financing and proliferation risks. All FSRBs aim to complete their first evaluations by late 2026 or early 2027. Additionally, significant emphasis was placed on fostering peer learning, experience sharing and strengthened cohesion within the Global Network, a key priority under the Mexican Presidency.

DSIT welcomes DUA Bill becoming Act of Parliament as DUAA

The Department for Science, Innovation and Technology (DSIT) has welcomed the Data (Use and Access) Bill (DUA Bill) receiving Royal Assent on 19 June 2025 and becoming law as the Data (Use and Access) Act 2025 (DUAA). DSIT notes that key measures include enabling real-time sharing of healthcare data across NHS services, saving 140,000 hours of admin annually and improving patient care, and the simplification of digital identity verification through certified tools, aiding tasks like renting or job application. The DUAA also introduces legislation to support investigations into child deaths linked to social media by preserving relevant data. Additionally, DSIT underlines that as mandated by the DUAA, a new Information Commission will replace the ICO, with a recruitment drive underway for its board to ensure diverse expertise.

ICO publishes guidance documents and work plan for Data (Use and Access) Act 2025

The Information Commissioner's Office has published several guidance documents and a working plan following the Data (Use and Access) Bill receiving royal assent on 19 June 2025 and becoming an Act of Parliament as the Data (Use and Access) Act 2025 (DUAA). The ICO notes that the main changes to the law include clarifying how personal information can be used for research, lifting restrictions on some automated decision making, setting out how to use some cookies without consent, allowing charities to send people electronic mail marketing without consent in certain circumstances and requiring organisations to have a data protection complaints procedure and introducing a new lawful basis of recognised legitimate interests. The ICO also underlines that the DUAA provides it with new powers including the ability to compel witnesses to attend interviews, request technical reports, and issue higher fines.

Data (Use and Access) Bill receives Royal Assent on 19 June 2025

The Data (Use and Access) Bill (DUA) received Royal Assent and became an Act of Parliament on Thursday 19 June 2025. This followed its parliamentary review being finalised on 11 June 2025 and marked the culmination of nearly eight months of parliamentary procedure. Under section 139 of the DUA, most provisions will come into force as and when the Secretary of State appoints regulations. However, a limited number of provisions came into force upon Royal Assent. This included section 78, which relates to reasonable and proportionate searches for data subject access requests. It also included sections 126–128 on the retention of biometric data, and schedule 16 on the grant of energy smart meter communication licences.

View Practice Compliance by content type :

News