Data protection officer

Under the UK General Data Protection Regulation (UK GDPR), certain organisations are required to appoint an individual to act as their data protection officer (DPO). Others may choose to appoint a DPO on a voluntary basis. In either case, the organisation will need to consider who should be the DPO, what the DPO’s duties will be and what the organisation’s obligations are in relation to the DPO.

For information on the circumstances where the UK GDPR requires you to appoint a DPO, see Practice Note: Data protection officer and DPO appointment decision tree.

Voluntary DPOs

You should consider whether to appoint a DPO even where you are not required to under the UK GDPR. Guidelines on DPOs published by the Article 29 Data Protection Working Party and subsequently endorsed by the European Data Protection Board (EDPB) (EDPB guidance) and the Information Commissioner’s Office (ICO) guidance encourage voluntary appointment of a DPO, but with an important caveat—it doesn’t matter whether your DPO’s appointment is voluntary or mandatory, if your organisation has a DPO, all the requirements of the UK GDPR relating to DPOs apply—see Practice Note: To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Risk & Compliance News

FCDO announces UK sanctions against Iranian authorities for human rights violations during peaceful protests

The Foreign, Commonwealth & Development Office (FCDO) has announced the UK’s package of sanctions against ten individuals and one organisation in Iran for enabling and facilitating recent human rights violations against peaceful protestors. These measures form part of the UK’s commitment to hold the Iranian authorities to account following widespread brutality and violence. The Law Enforcement Forces of the Islamic Republic of Iran (FARAJA) was sanctioned for its prominent role in policing protests in Iran and is subject to an immediate director disqualification and asset freeze, while the designated individuals—including the Minister of the Interior, several Police Chiefs, Islamic Revolutionary Guard Corps (IRGC) commanders, judges and an Iranian businessman—are subject to immediate asset freezes, travel bans and director disqualifications. The measures follow earlier commitments by the Prime Minister and the Foreign Secretary, recent human rights sanctions by the EU and US, and international condemnation by the G7 and EU High Representative, forming part of more than 550 existing UK sanctions against Iranian individuals and entities for human rights violations.

Key provisions of Data (Use and Access) Act 2025 to come into force on 5 February 2026

The Secretary of State has made the Data (Use and Access) Act 2025 (DUAA 2025) (Commencement No 6 and Transitional and Saving Provisions) Regulations 2026, SI 2026/82, which bring the majority of the DUAA 2025’s data protection reforms into force from 5 February 2026. These regulations commence provisions relating to research and statistical purposes, consent to processing for scientific research, the lawfulness of processing, purpose limitation, data subject requests, automated decision-making, data protection by design for children, and the transfers of personal data to third countries, among others. Further provisions concerning complaints by data subjects will come into force on 19 June 2026.

ICO publishes letter on progress against economic growth commitments and work planned for 2026

The Information Commissioner’s Office (ICO) has published a letter to the Prime Minister, the Chancellor of the Exchequer, and the Secretary of State for Business and Trade setting out a one-year update on its five economic growth commitments made in January 2025. These commitments are to: (1) give businesses regulatory certainty on artificial intelligence (AI); (2) cut costs for small and medium-sized enterprises (SMEs); (3) enable greater innovation through its Regulatory Sandbox and Innovation Advice services; (4) unlock privacy-preserving online advertising; and (5) make it quicker and easier to transfer data internationally. The letter confirms that the ICO is working with the government on legislation to introduce a statutory code of practice on AI and automated decision-making, and that its expanded data essentials platform for SMEs is due to launch in spring 2026. It also states that the ICO has secured funding to design an experimentation regime to support the testing of emerging technologies, with research findings due by mid-February 2026. In addition, the ICO says it is assessing low-risk online advertising activities that could operate without consent under the Privacy and Electronic Communications Regulations (PECR) and will provide evidence to the government in the spring. The letter also highlights that the ICO published updated guidance on international data transfers in January 2026, aimed at simplifying requirements and supporting cross-border data flows, which underpin around 40% of UK exports. The ICO adds that it will continue to issue further guidance and improve regulatory clarity throughout 2026.

No timetable for Labour’s Equality (Race and Disability) Bill

Law360: The Minister for Equalities has declined to say when promised legislation to introduce ethnicity and disability pay gap reporting will be put forward.

View Risk & Compliance by content type :

News