Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you collect or use personal data in your business, you’ve probably wondered: do I need a Data Protection Officer (DPO)? It’s a common question - and the answer depends on what you do, how much data you process, and the type of data involved.
In this guide, we’ll walk you through when UK law actually requires a DPO, how to assess your situation step-by-step, sensible alternatives if one isn’t mandatory, and the practical compliance steps that keep you protected from day one.
What Is a DPO and What Do They Do?
A Data Protection Officer is an independent role required in certain circumstances under the UK GDPR and the Data Protection Act 2018. Their job is to help your organisation comply with data protection law - and to do that effectively, they must have a degree of autonomy and report to the highest level of management.
Key responsibilities include:
- Monitoring compliance with UK GDPR and data protection policies across your organisation
- Advising on privacy risk and reviewing data protection impact assessments (DPIAs)
- Training staff and raising awareness of data protection obligations
- Acting as the point of contact with the ICO (the UK regulator) and with data subjects
- Providing advice on new projects, vendors, and product changes that affect personal data
A DPO can be an employee or an external provider, but they can’t be penalised for doing their job and they mustn’t be conflicted (for example, someone deciding how data is used day-to-day, like a Head of Marketing or IT Director, typically shouldn’t be your DPO).
When Is a DPO Legally Required Under UK GDPR?
Under Article 37 of the UK GDPR, you must appoint a DPO if your organisation meets at least one of these tests:
- You are a public authority or body (except courts acting in their judicial capacity)
- Your core activities require “regular and systematic monitoring” of individuals on a large scale
- Your core activities consist of “large-scale” processing of special category data or criminal conviction and offence data
What Counts as “Regular and Systematic Monitoring”?
This typically includes ongoing, planned tracking or profiling of people - for example, behavioural advertising, geolocation tracking, monitoring through wearables, telematics, or CCTV in public spaces. If this monitoring is extensive and central to your business model, you may be in DPO territory.
What Is “Special Category” and “Criminal Offence” Data?
Special category data covers information that is more sensitive - for example, health data, biometric data used to identify someone, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, sex life or sexual orientation. Criminal conviction and offence data is treated separately under the Data Protection Act 2018 with strict controls. Large-scale, core processing of these types of data is a key trigger for a DPO.
What Does “Large-Scale” Mean?
There’s no single number. The ICO advises looking at factors such as the number of data subjects, the volume of data, the duration and frequency of processing, and the geographic scope. An SME can hit “large-scale” if processing is continuous and central to operations (for example, a nationwide health clinic chain processing patient records).
Quick Examples
- Likely to need a DPO: A private healthcare provider processing thousands of patient health records across multiple locations; a large online platform profiling user behaviour for targeted ads at scale; a security company operating extensive public CCTV networks.
- Unlikely to need a DPO: A local retailer running a simple e-commerce site with limited analytics and no sensitive data; a small professional services firm processing client contact details for appointments; a small café with basic payroll records.
Remember: a DPO is about the nature and scale of processing, not your revenue or headcount. If your core business model revolves around continuous tracking or sensitive data at scale, take the DPO requirement seriously.
How To Decide If You Need a DPO: A Step-by-Step Assessment
You don’t need guesswork. Follow this simple sequence and document your decision (the ICO expects you to be able to justify it):
1) Map Your Personal Data
List the types of personal data you handle, where it comes from, where it’s stored, who you share it with, and why you use it. Include any special category or criminal offence data. This data map underpins your decision and your wider compliance program.
2) Identify Your Core Activities
“Core activities” means the key operations necessary to achieve your objectives. Support functions (like payroll) usually aren’t “core”. Ask: Is regular tracking of people or processing sensitive data central to what we do?
3) Assess Scale and Monitoring
Consider the volume of individuals, frequency/duration of processing, geographic scope, and whether you’re doing regular and systematic monitoring. Note if you use technologies such as cookies, SDKs, or telematics for behavioural profiling at a significant scale.
4) Decide If a DPO Is Mandatory
If any of the three legal triggers apply, you must appoint a DPO. If not, move to step 5 - you may still choose to appoint one voluntarily or designate a privacy lead.
5) Record the Decision and Rationale
Write a short internal note explaining why you do or don’t need a DPO, and keep it with your records of processing. If challenged, this contemporaneous record shows you took a considered approach.
6) Put the Right Controls in Place
Whichever way you decide, the rest of your UK GDPR compliance is still essential - including a clear Privacy Policy, lawful bases, processor contracts, and response plans for data subject rights and breaches. Getting these foundations right reduces risk even if a DPO isn’t strictly required.
What If You Don’t Strictly Need a DPO? Sensible Alternatives
Many SMEs won’t meet the mandatory threshold - and that’s okay. You still need robust privacy governance. Consider these options:
Appoint a Privacy Lead (Without the Formal “DPO” Title)
Designate someone to coordinate privacy compliance, training, DPIAs, and vendor checks. This avoids the legal constraints of a DPO (like independence and conflict-of-interest rules) while giving you a clear internal owner for data protection.
Outsource Specialist Advice As Needed
If you only need periodic support (for example, when launching a new product or responding to a complex request), engage external expertise. A tailored Data Protection Pack can help you implement the key policies, registers, and processes quickly.
Voluntary DPO Appointment
You can appoint a DPO even if you’re not obliged to. Just remember: once you call someone your “DPO”, all the legal requirements attach. If you prefer flexibility, call the role a “Data Protection Lead” or similar unless a DPO is required.
Appointing a DPO: Practical Requirements and Common Mistakes
If you do need a DPO (or choose to appoint one voluntarily), a few practical steps matter.
Independence and No Conflicts
The DPO must be able to act independently and advise freely. Avoid appointing someone who decides the purposes and means of processing (for example, the person who sets your data strategy). Typical conflicts include senior roles in marketing, IT, HR, or operations with decision-making power over data use.
Expertise and Resources
The DPO needs “expert knowledge” of data protection law and practice. Provide access to senior management and adequate time and budget to do the job. If you outsource, ensure your provider is accessible and understands your sector.
Group and Outsourced DPOs
A corporate group can appoint a single DPO as long as they are easily accessible from each entity. Outsourcing is allowed and common for SMEs - it can be cost-effective if you process at scale but don’t need a full-time role.
Publish Contact Details and Tell the ICO
If you’re required to have a DPO, you should publish their contact details (for example, in your privacy notice) and provide them to the ICO via your registration. Make sure the DPO’s contact channel is monitored - people will use it.
Don’t Conflate PECR and GDPR
Cookie consent and direct marketing rules sit in the Privacy and Electronic Communications Regulations (PECR), which work alongside the UK GDPR. If cookies or similar tech are part of your monitoring, ensure your cookie banners and consent mechanisms are lawful.
Essential Documents And Compliance To Support Your DPO Decision
Whether or not a DPO is mandatory, the following documents and processes are key for UK GDPR compliance and will support your decision-making trail.
Privacy Notices
Be transparent about how you use data. Host a clear, accessible Privacy Policy on your website, and tailor employee or candidate notices for your workforce data. Good transparency goes a long way with the ICO and with customers.
Records Of Processing and DPIAs
Keep an internal record of your processing activities and conduct DPIAs for high-risk processing (for example, large-scale monitoring, novel tech, or sensitive data). Your DPO (if you have one) should advise on DPIAs, but many SMEs can do this with guided templates and expert review.
Processor Contracts and Data Sharing
If you use service providers that process personal data for you, you must have a compliant Data Processing Agreement in place. If you share data with another controller (for example, partners or group companies), document the arrangement with a clear Data Sharing Agreement and assign responsibilities.
Subject Access Requests (SARs)
Have a plan to recognise, triage, and respond within the statutory timescales. Training and workflows are crucial here - these requests can be complex and time-consuming. If you’re building your process, this guide to handling subject access requests is a useful starting point.
Data Breach Readiness
Incidents happen - what matters is how you respond. Put a practical Data Breach Response Plan in place so you can investigate quickly, assess risk, notify if required, and learn lessons. Practice the plan before you need it.
Marketing and Cookies
Make sure your email and SMS campaigns respect PECR rules (consent or soft opt-in where applicable) and that your cookie consent is granular and easy to refuse. Your DPO or privacy lead should be in the loop on any marketing tech changes that affect tracking.
Paying the ICO Fee
Most UK organisations that process personal data must pay a data protection fee to the ICO unless exempt. It’s quick to sort out, and the ICO provides clear criteria on ICO fee exemptions.
Practical Bundles for SMEs
If you want to get the essentials in place efficiently, consider a tailored GDPR Package that brings together your core policies, registers, and training with practical, business-friendly advice.
Key Takeaways
- You must appoint a DPO if you’re a public authority, if your core activities involve regular and systematic monitoring on a large scale, or if your core activities involve large-scale processing of special category or criminal offence data.
- “Large-scale” depends on factors like the number of people, data volume, frequency, and geographic reach - it’s not just about headcount or revenue.
- If you don’t need a DPO, appoint a privacy lead, document your decision, and put strong UK GDPR controls in place, including a clear Privacy Policy and records of processing.
- When you use vendors, have a compliant Data Processing Agreement; when you share data with other controllers, use a Data Sharing Agreement.
- Be ready for rights requests and incidents with practical processes for subject access requests and a tested Data Breach Response Plan.
- Don’t forget PECR alongside GDPR - get your cookie banners and marketing consent right, and check whether you qualify for any ICO fee exemptions.
- If in doubt, get tailored advice - early decisions about DPOs and data governance will shape your risk profile and support confident growth.
If you’d like help assessing whether you need a DPO or setting up your UK GDPR foundations, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
