Data protection officer

Copyright © 2025 LexisNexis

Under the UK General Data Protection Regulation (UK GDPR), certain organisations are required to appoint an individual to act as their data protection officer (DPO). Others may choose to appoint a DPO on a voluntary basis. In either case, your firm will need to consider who should be the DPO, what the DPO’s duties will be and what the firm’s obligations are in relation to the DPO.

For information on the circumstances where UK GDPR requires you to appoint a DPO, see Practice Note: Data protection officer—law firms and DPO appointment decision tree.

Voluntary DPOs

You should consider whether to appoint a DPO even where you are not required to. Guidelines on DPOs published by the Article 29 Data Protection Working Party and subsequently endorsed by the European Data Protection Board (EDPB) (EDPB guidance) and Information Commissioner’s Office (ICO) guidance encourage voluntary appointment of a DPO, but with an important caveat—it doesn’t matter whether your DPO’s appointment is voluntary or mandatory, if your firm has a DPO, all the requirements of the UK GDPR relating to DPOs apply—see Practice Note: Data protection officer—law firms—Voluntary

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Practice Compliance News

Home Office publishes response to ransomware consultation on new legislative proposals to tackle cybercrime

The Home Office has published its response to the public consultation on legislative proposals to address ransomware. The consultation ran from 14 January to 8 April 2025 and sought views on three measures: a targeted ban on ransomware payments for public sector and regulated critical national infrastructure (CNI); a ransomware payment prevention regime; and a mandatory incident reporting regime. A total of 273 responses were received and 36 engagement events were held. The response confirms ransomware is considered the most serious organised cybercrime threat to UK national security. Feedback was broadly supportive and highlighted several cross-cutting themes, including the need for clarity on scope and definitions, proportionate penalties that avoid revictimising victims, tailored guidance and support, and improved cyber resilience. The government intends to continue to develop the proposals in collaboration with stakeholders, explore appropriate enforcement mechanisms and publish guidance to support implementation.

HMT consults on reforms to civil enforcement of financial sanctions

HM Treasury (HMT) has launched a consultation on proposed reforms to the civil enforcement processes of the Office of Financial Sanctions Implementation (OFSI), aimed at improving the efficiency, transparency and effectiveness of financial sanctions enforcement in the UK. Key proposals include the introduction of a settlement scheme for monetary penalties, an Early Account Scheme (EAS) to allow subjects to provide a full factual account early in investigations, a streamlined process with indicative penalties for minor breaches such as reporting or licensing offences, updates to OFSI’s public guidance on case assessments and penalty discounts for voluntary disclosure and cooperation as well as changes to statutory penalty maximums. These reforms would apply only to OFSI’s civil enforcement powers in relation to financial sanctions and the UK Maritime Services Ban and Oil Price Cap and would not affect criminal enforcement or non-financial sanctions. Responses are sought by 13 October 2025.

OFSI issues three General Licences for shipping and trading entities

The Office of Financial Sanctions Implementation (OFSI) has issued three General Licences under regulation 64 of the Russia (Sanctions) (EU Exit) Regulations 2019, SI 2019/855. General Licence INT/2025/6403704 permits the continuation of business operations for vessels owned or operated by, or on behalf of, the Government of the Gabonese Republic. General Licences INT/2025/6488808 and INT/2025/6397444 allow persons to wind down transactions involving Litasco Middle East DMCC and Intershipping Services LLC, respectively.

OFSI publishes threat assessment on cryptoasset sanctions compliance risks

The Office of Financial Sanctions Implementation (OFSI) has published a threat assessment examining sanctions compliance risks in the UK cryptoasset sector from January 2022 to May 2025. Key developments include the March 2025 disruption of designated Russian exchange Garantex, resulting in the seizure of US$26m in illicit assets, and the February 2025 North Korean cyber attack on Bybit exchange that resulted in the theft of US$1.5bn in cryptoassets. The assessment outlines compliance vulnerabilities and provides detailed guidance for UK cryptoasset firms on reporting obligations.

View Practice Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an

Glossary—Latin legal terms

Glossary—Latin legal termsDespite attempts in recent years to simplify the language used in legal cases, there are still a number of Latin phrases commonly used in personal injury claims. The following Latin phrases are listed in alphabetical order:Latin

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements[Insert addressee details]Dear [insert name][It is our understanding that [insert name of prospective employee] [was an employee of yours between the dates of [insert dates as appropriate] OR is a current employee of
Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?

Can shares in a limited company that have not been paid-up at all be cancelled?A limited company having a share capital may not alter that share capital, except in the ways listed in section 617 of the Companies Act 2006 (CA 2006). Shares in a company cannot simply be cancelled without following an

Glossary—Latin legal terms

Glossary—Latin legal terms

Glossary—Latin legal termsDespite attempts in recent years to simplify the language used in legal cases, there are still a number of Latin phrases commonly used in personal injury claims. The following Latin phrases are listed in alphabetical order:Latin

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements

Template for regulatory references given by SMCR firms and disclosure requirements[Insert addressee details]Dear [insert name][It is our understanding that [insert name of prospective employee] [was an employee of yours between the dates of [insert dates as appropriate] OR is a current employee of