Data protection officer

Copyright © 2025 LexisNexis

Under the UK General Data Protection Regulation (UK GDPR), certain organisations are required to appoint an individual to act as their data protection officer (DPO). Others may choose to appoint a DPO on a voluntary basis. In either case, the organisation will need to consider who should be the DPO, what the DPO’s duties will be and what the organisation’s obligations are in relation to the DPO.

For information on the circumstances where the UK GDPR requires you to appoint a DPO, see Practice Note: Data protection officer and DPO appointment decision tree.

Voluntary DPOs

You should consider whether to appoint a DPO even where you are not required to under the UK GDPR. Guidelines on DPOs published by the Article 29 Data Protection Working Party and subsequently endorsed by the European Data Protection Board (EDPB) (EDPB guidance) and the Information Commissioner’s Office (ICO) guidance encourage voluntary appointment of a DPO, but with an important caveat—it doesn’t matter whether your DPO’s appointment is voluntary or mandatory, if your organisation has a DPO, all the requirements of the UK GDPR relating to DPOs apply—see Practice Note: To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

Risk & Compliance weekly highlights—2 October 2025

This week's edition of Risk & Compliance weekly highlights includes OFSI’s penalty on Colorcon for Russia sanctions breaches, OFSI’s new and updated General Licences, and an update to the OFSI UK Financial Sanctions FAQs. We also cover EU pressure on member states to implement new AML ruless, the NCA and Law Society campaign targeting payment diversion fraud, and a High Court ruling restricting unqualified employees from conducting litigation.

NCA and Law Society launch campaign targeting payment diversion fraud in property transactions

The National Crime Agency (NCA) and The Law Society have launched a joint campaign aimed at solicitors and conveyancers to address payment diversion fraud in property transactions. The campaign, delivered with the Home Office's national Stop! Think Fraud initiative, highlights risks where criminals intercept and redirect legitimate property purchase funds by impersonating solicitors, estate agents or buyers through fraudulent contact. The campaign provides practical guidance including checking by calling before transferring money, testing accounts with small sums, and never transferring money until details are verified as correct. The initiative includes an information sheet and social media campaign across NCA and Law Society platforms.

Six in ten SMEs hit by cyberattack in 2025, Hiscox says

Law360, London: Some 59% of small and midsized enterprises have said they experienced a cyberattack in 2025, Hiscox said on 30 September 2025, highlighting the evolving threat posed by criminals adapting to new technologies to exploit businesses. The insurer stated in its annual cyber-readiness report that 33% of SMEs said they were hit with a substantial fine following an attack or a data breach. Companies face fines by regulatory bodies such as the Information Commissioner's Office after such incidents for failing to protect data and privacy.

OFSI issues £152,750 penalty on Colorcon for Russia sanctions breaches

The Office of Financial Sanctions Implementation (OFSI) has issued a penalty of £152,750 on Colorcon Limited, a pharmaceutical industry supplier and UK-registered subsidiary of Colorcon Inc., for breaching the Russia (Sanctions) (EU Exit) Regulations 2019. The breach involved 79 payments totalling £128,277.72 made by Colorcon’s Moscow office to accounts held at designated Russian financial institutions, in contravention of the UK financial sanctions linked to Russia’s illegal invasion of Ukraine in 2022. Although 44 of the payments were covered under General Licence INT/2022/2055384 prior to its expiry, Colorcon failed to comply with its reporting obligations and continued transactions after the licence had expired. OFSI assessed the case as serious, citing inadequate internal controls, delayed disclosure, and reliance on third-party screening without verification. A 35% discount was applied to the penalty due to voluntary disclosure, reduced from the maximum 50% because of a four-month delay in reporting. This case highlights key compliance lessons for the industry, notably that reliance on third parties does not absolve responsibility; the party committing the breach will be held accountable.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a
Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for

Can a limited company make a subject access request? Can a director of a limited company ask for recordings of calls with us? If yes, what personal data must we provide?This Q&A draws on the Information Commissioner’s Office’s (ICO’s) guidance on business-to-business marketing, which may or may

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?

What is the difference between an appeal and a review?What is an appeal?An appeal in insolvency proceedings is no different to an appeal in normal litigation. An appeal will be allowed only if the appeal court is satisfied that the decision of the lower court was 'wrong' or 'unjust because of a

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application

Contributory negligence in personal injury claims

Contributory negligence in personal injury claims

Contributory negligence in personal injury claimsContributory negligence is a partial defence which can lead to a discount in damages.Other defences may also be relevant. See Practice Notes: Did the claimant consent to the risk of injury? and Was the claimant involved in an illegal activity?If a