Do I Need A DPO? When UK Businesses Must Appoint A Data Protection Officer Under GDPR

If you run a small business in the UK, it’s normal to wonder whether GDPR expects you to appoint a Data Protection Officer (DPO) - especially when you start collecting more customer data, hiring staff, or scaling your marketing.

The tricky part is that the law doesn’t say “if you have X employees, you need a DPO”. Instead, it depends on what your business actually does with personal data.

In this guide, we’ll break down what a DPO is, the legal tests under UK GDPR, and how to decide (with confidence) whether you need a DPO for your business.

What Is A DPO (And What Do They Actually Do)?

A Data Protection Officer (DPO) is a specific role created under the UK GDPR (and the GDPR framework generally) to help some organisations manage and demonstrate compliance with data protection law.

In plain English, a DPO’s job is to help you put strong privacy practices in place and keep them running properly as your business grows.

Typical DPO Responsibilities

While the exact job scope depends on your business, a DPO will usually:

• Advise the business on UK GDPR obligations (and related UK privacy law like the Data Protection Act 2018).
• Monitor compliance (for example, checking policies, training, audits, and risk reviews).
• Support Data Protection Impact Assessments (DPIAs) for higher-risk activities.
• Act as a contact point for the ICO (the UK data protection regulator).
• Help handle data subject rights requests (like subject access requests) and complaints.

Importantly, a DPO is not just an “admin person for GDPR”. The role is designed to be independent and appropriately skilled.

DPO Vs Privacy Lead: Not The Same Thing

Lots of small businesses sensibly appoint an internal “privacy lead” (for example, an operations manager or head of compliance) even when they don’t legally need a DPO.

That can be a great move - but it’s different from formally appointing a DPO under UK GDPR, because a DPO has specific legal protections and requirements around independence, conflicts of interest, and reporting lines.

Do I Need A DPO Under UK GDPR? The Legal Tests You Must Check

Under UK GDPR, you must appoint a DPO if your organisation falls into one of the categories below.

If you’re here because you’re wondering whether you need a DPO, these are the three tests to work through carefully.

1) You’re A Public Authority Or Public Body

Public authorities and public bodies generally need a DPO (except for courts acting in a judicial capacity).

Most small businesses won’t fall into this category. Even if you deliver services to the public sector or work on a government contract, that doesn’t automatically make you a “public authority” or “public body” for UK GDPR purposes - it depends on the specific legal status and function of your organisation.

2) Your Core Activities Involve Regular And Systematic Monitoring Of People On A Large Scale

This is the test that catches many growing businesses - especially those with analytics-heavy models.

You may need a DPO if:

• Monitoring people is part of your core activities (i.e. it’s central to your business, not just a minor support function), and
• That monitoring is regular and systematic, and
• You’re doing it on a large scale.

What Counts As “Regular And Systematic Monitoring”?

This can include activities like:

• Behavioural tracking for targeted advertising
• Profiling to predict preferences, performance, health, or risk
• Location tracking over time
• Monitoring app users’ activity
• Tracking customer interactions across platforms to build profiles

Even if you’re using third-party tools to do this, you’re still responsible for compliance if it’s happening as part of your operations.

What Does “Large Scale” Mean?

UK GDPR doesn’t give a neat number (annoying, we know). “Large scale” is fact-specific, and usually looks at things like:

• How many people’s data you process (customers, users, patients, employees)
• The amount and range of data you process (how detailed it is)
• How long you keep the data
• Geographic scope (local vs national vs international)

If you’ve got a national user base, you’re processing lots of data points per person, or your business model depends on tracking and profiling, it’s worth treating this test seriously and getting advice early.

3) Your Core Activities Involve Large-Scale Processing Of Special Category Data Or Criminal Records Data

This is the test most likely to apply to certain service-based businesses and platforms.

You may need a DPO if your core activities involve large-scale processing of:

• Special category data (like health data, biometric data, or data revealing racial/ethnic origin, religious beliefs, sexual orientation, etc.), and/or
• Criminal convictions and offences data

Examples Where This Might Apply

• A healthcare clinic processing patient records at scale
• A wellbeing app collecting health and lifestyle information across many users
• A platform doing background screening as a core service
• A business using biometric data (like fingerprints) as part of its core operations

If this sounds even vaguely like your business model, it’s a good idea to put your compliance foundations in place from day one - including clear documentation and contracts around who is doing what with data (for example, where you’re using third parties, a Data Processing Agreement is often essential).

How To Work Out If Your Business Falls Into These Categories

When you’re trying to answer “do I need a DPO?”, the most helpful approach is to step back and map what your business actually does with personal data.

Here’s a practical checklist you can use.

Step 1: Identify Your “Core Activities”

Ask yourself: if we stopped this data activity, would the business still function in the same way?

• If your business is an eCommerce store, your core activity is selling products - processing customer data supports that, but it may not be “core” monitoring.
• If your business is an ad-tech platform, your core activity may involve profiling and tracking - that’s much more likely to be “core”.

Step 2: List What Data You Process (And Why)

Break it down into categories, like:

• Customer contact details (names, emails, delivery addresses)
• Payment information (in many cases this is handled and stored by your payment provider, but it still matters because you may still process some payment-related personal data and remain responsible for your own compliance)
• Marketing and analytics data (cookies, device IDs, browsing behaviour)
• Employee and contractor data (HR files, payroll info)
• Any special category data (health notes, accessibility requirements, ID verification, etc.)

Once you know what you’re processing, it’s much easier to see whether you’re anywhere near “large-scale” and “special category” territory.

Step 3: Check Whether You “Monitor” Individuals

Monitoring isn’t just CCTV. It can include digital tracking and profiling too.

If you do use monitoring tools in your workplace, make sure your internal policies match what you’re doing in practice (an Acceptable Use Policy can be a key part of keeping things clear with staff).

Step 4: Decide Whether A Formal DPO Appointment Is Required (Or Just Sensible)

Some businesses clearly fall inside the legal requirement. Many don’t - but still benefit from a responsible person taking ownership of privacy compliance.

If you’re unsure, it’s worth getting tailored advice. Appointing a DPO when you don’t need one can create obligations you didn’t intend to take on, but ignoring the requirement when you do need one can expose you to regulatory risk.

If You Don’t Need A DPO, What Should You Do Instead?

If you don’t legally need a DPO, you still need to comply with UK GDPR. That means (at a minimum) being able to show that you:

• Process personal data lawfully, fairly and transparently
• Only collect what you need
• Keep data accurate and secure
• Have a clear retention approach (don’t keep data forever “just in case”)
• Respect data subject rights (access, deletion, objections, etc.)
• Have the right contracts in place with suppliers handling data

Appoint A Privacy Owner (Informally)

A common and practical solution for small businesses is to appoint a privacy owner internally. This person can coordinate:

• Data mapping and record-keeping
• Policy rollouts and staff training
• Supplier due diligence
• Incident response planning

This can be especially helpful if you’re growing quickly, using new tech tools, or expanding into more regulated services.

Get The Essentials In Place Early

Even without a DPO, you’ll usually want to make sure you’ve got:

• A clear Privacy Policy (particularly if you collect customer data online)
• A plan for what you’ll do if there’s a cyber incident or accidental disclosure (a Data Breach Response Plan can make the difference between a controlled response and a complete scramble)
• Supplier contracts that cover GDPR responsibilities (especially where suppliers process data on your behalf)

If you want a more joined-up approach, a GDPR Package is often a practical way to cover the key documents and compliance foundations without trying to piece everything together yourself.

How To Appoint A DPO Properly (And Common Mistakes To Avoid)

If your business does need a DPO, it’s worth doing it properly from day one. A “tick-the-box” DPO appointment can create problems later - especially if the DPO doesn’t have real independence or the right level of support.

You Can Use An Internal Or External DPO

A DPO can be:

• An employee (internal DPO), or
• A contractor/consultant (external DPO service)

For many small businesses, an external DPO can be more realistic if you don’t have in-house privacy expertise.

Your DPO Needs Independence And Support

UK GDPR expects that the DPO:

• Reports to the highest management level
• Can do their job independently (not being told what conclusion to reach)
• Has sufficient resources (time, access, budget, tools)
• Is involved early in privacy-related decisions

Watch Out For Conflicts Of Interest

This is one of the most common pitfalls for growing businesses.

A DPO shouldn’t usually be someone who decides how and why data is processed (because they would effectively be “marking their own homework”). Depending on your structure, that can mean it’s risky to appoint someone like:

• Your head of IT (if they control security decisions and systems)
• Your head of marketing (if they run tracking and profiling)
• Your CEO (if they decide strategy and operations)

Whether it’s a conflict depends on what the role actually involves in your business - so it’s worth getting advice rather than guessing.

Don’t Forget About Modern Data Risks (Like AI Tools)

Even where you don’t think you process much data, modern work tools can change your risk profile quickly - for example, staff inputting personal data into AI tools or automation platforms.

If your team uses AI in day-to-day workflows, it may be sensible to set clear rules internally (a Generative AI Use Policy can help you set expectations around what can and can’t be shared, and how to manage confidentiality and privacy risks).

Key Takeaways

• If you’re asking whether you need a DPO, the answer depends on what your business does with personal data - not your company size alone.
• You generally must appoint a DPO under UK GDPR if you’re a public authority, if your core activities involve large-scale regular and systematic monitoring, or if your core activities involve large-scale processing of special category or criminal records data.
• “Large scale” and “core activities” aren’t strict number-based tests - you need to look at the reality of your processing (volume, sensitivity, duration, and purpose).
• If you don’t need a formal DPO, appointing a privacy owner internally can still be a smart move to keep your GDPR compliance organised as you grow.
• Strong GDPR foundations often include a Privacy Policy, the right supplier contracts (like a Data Processing Agreement), and a clear breach response plan.
• If you do need a DPO, make sure they’re properly supported and independent, and avoid appointing someone whose role creates a conflict of interest.

If you’d like help working out whether you need a DPO (and what your business should do next under UK GDPR), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.