Data protection officer

Under the UK General Data Protection Regulation (UK GDPR), certain organisations are required to appoint an individual to act as their data protection officer (DPO). Others may choose to appoint a DPO on a voluntary basis. In either case, your firm will need to consider who should be the DPO, what the DPO’s duties will be and what the firm’s obligations are in relation to the DPO.

For information on the circumstances where UK GDPR requires you to appoint a DPO, see Practice Note: Data protection officer—law firms and DPO appointment decision tree.

Voluntary DPOs

You should consider whether to appoint a DPO even where you are not required to. Guidelines on DPOs published by the Article 29 Data Protection Working Party and subsequently endorsed by the European Data Protection Board (EDPB) (EDPB guidance) and Information Commissioner’s Office (ICO) guidance encourage voluntary appointment of a DPO, but with an important caveat—it doesn’t matter whether your DPO’s appointment is voluntary or mandatory, if your firm has a DPO, all the requirements of the UK GDPR relating to DPOs apply—see Practice Note: Data protection officer—law firms—Voluntary

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Practice Compliance News

NCA, OFSI and FCDO publishes Red Alert on Russian oil sanctions evasion network

The National Crime Agency (NCA), Office of Financial Sanctions Implementation (OFSI) and Foreign Commonwealth & Development Office (FCDO) have jointly published a Red Alert warning financial institutions about a sophisticated Russian oil sanctions evasion network. The alert details how the network operates through 'blue' companies interfacing with Western institutions and 'red' companies trading directly with Russian oil firms. It follows UK sanctions imposed on key network entities 2RIVERS DMCC and 2RIVERS PTE in December 2024, and NORD AXIS in May 2025. The alert provides red flag indicators to help identify potential sanctions breaches.

DUAA 2025—Key compliance takeaways in our latest Practice Note

The Data (Use and Access) Act 2025 (DUAA 2025), which received Royal Assent on 19 June 2025, introduces targeted amendments to the UK’s data protection regime. While most provisions await further regulation, compliance professionals in UK private sector organisations should take note of the implications of DUAA 2025 and prepare for phased implementation. To help you with this, we’ve published a new Practice Note explaining what’s changing, when and what you need to do about it.

US Treasury sanctions Aeza Group and affiliates for enabling cybercrime

The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has designated Russia-based Aeza Group and its affiliates under Executive Order 13694 for providing bulletproof hosting services to cybercriminals. The action includes sanctions against two subsidiary companies and four senior executives. The measures target infrastructure supporting ransomware attacks, technology theft and illegal drug trading. The sanctions block all US-based property and interests of designated persons and prohibit US persons from transacting with them.

OFSI adds General Licence INT/2025/6275812 to expired licences

The Office of Financial Sanctions Implementation (OFSI) has added General Licence INT/2025/6275812 to its list of expired licences which had authorised the wind-down of positions involving St Petersburg Currency Exchange and Non-bank Credit Organisation Joint-Stock Company Petersburg Settlement Center under the Russian sanctions regime.

View Practice Compliance by content type :

News