Who Must Appoint a Data Protection Officer (DPO) in the UK?

If you’re running a small business in the UK, you’ve probably wondered whether you need to appoint a Data Protection Officer (DPO). You’re not alone - lots of founders hear “GDPR” and “DPO” and assume every organisation must appoint a DPO to be compliant. The truth is more nuanced.

In this guide, we’ll explain exactly who needs to appoint a DPO under the UK GDPR and the Data Protection Act 2018, how to decide in practice, and what to do if you don’t strictly need one. We’ll also flag common pitfalls for SMEs and how to set yourself up so you’re protected from day one.

What Is A Data Protection Officer?

A Data Protection Officer (DPO) is an independent privacy expert who helps your organisation comply with data protection law. Under the UK GDPR, a DPO’s key tasks include:

• Informing and advising you on your data protection obligations.
• Monitoring compliance (policies, training, audits).
• Advising on and monitoring Data Protection Impact Assessments (DPIAs).
• Cooperating with the Information Commissioner’s Office (ICO) and acting as the contact point.
• Being accessible to individuals (data subjects) who have privacy queries or complaints.

Importantly, the DPO must be independent, have “expert knowledge of data protection law and practices”, report to the highest management level, and not be instructed on how to carry out their tasks. They shouldn’t be penalised for doing their job and they must avoid conflicts of interest (for example, your Head of Marketing or CTO often can’t be the DPO if they determine purposes and means of processing).

You can appoint someone internal or engage an external provider. Either way, if a DPO is required, you must publish their contact details and share them with the ICO.

Who Needs To Appoint A DPO Under UK Law?

Under Article 37 of the UK GDPR and the Data Protection Act 2018, you must appoint a DPO if your organisation is:

• A public authority or body (except courts acting in their judicial capacity); or
• Carrying out regular and systematic monitoring of individuals on a large scale (for example, online tracking or profiling); or
• Processing special category data or criminal offence data on a large scale as part of your core activities.

Let’s unpack those terms in plain English.

Public Authorities

Central and local government bodies will almost always need a DPO. Some schools and publicly funded bodies also qualify as public authorities. Many private SMEs won’t fall into this category.

Regular And Systematic Monitoring (Large Scale)

This typically covers ongoing, organised tracking of individuals to analyse or predict behaviour - think adtech platforms, fitness apps monitoring location data from hundreds of thousands of users, or a retailer using extensive behavioural profiling across a large customer base. Running CCTV in a single shop, by itself, usually won’t trigger a DPO unless you’re monitoring public spaces on a large scale.

Large-Scale Processing Of Special Category Or Criminal Data

Special category data includes health data, biometrics, race/ethnicity, religious beliefs, sexual orientation and similar sensitive information. You’re looking at the volume, the number of data subjects, the geographic coverage and the duration/frequency. A large private hospital or an insurtech processing health data for tens of thousands of customers would likely qualify. A single-location physiotherapy clinic with a small patient list may not, but you still need robust privacy governance.

Also note:

• Processors as well as controllers must appoint a DPO if the criteria are met.
• A group of undertakings can appoint one DPO provided they’re easily accessible to each entity.
• An appointed DPO can serve in a part-time capacity or be external, as long as they meet independence and expertise requirements.

So, does every organisation need a DPO? No - not all organisations must appoint a DPO. Only those that meet the criteria above are legally obliged to do so.

How To Decide In Practice: SME Scenarios And Indicators

The hardest part for small businesses is judging “large scale” and whether monitoring is “regular and systematic”. Here’s how to think it through with practical examples.

Scenario 1: Local E‑Commerce Brand

You sell products online and use basic web analytics, email newsletters and occasional remarketing. You don’t profile at an individual level beyond standard segmentation. You process names, emails, addresses and purchase history, but not special category data. This is unlikely to be “regular and systematic monitoring on a large scale”. A DPO probably isn’t required - but you still need a clear Privacy Policy, lawful bases for processing, and proper consent for marketing under PECR.

Scenario 2: Healthtech Startup

You offer a digital platform that collects continuous health metrics (e.g. heart rate data) from wearable devices across tens of thousands of UK users. This is special category data, processed as a core activity, at large scale. You’ll almost certainly need to appoint a DPO and conduct DPIAs for your high-risk processing.

Scenario 3: Multi-Site Fitness Chain With Biometrics

You operate gyms and use facial recognition for entry and in-gym analytics across dozens of sites. That’s systematic monitoring and biometric data processing at scale. You should appoint a DPO and implement strict safeguards around biometric data.

Scenario 4: Professional Services Firm

You provide consulting to SMEs and process client contact details and contracts. You may occasionally handle sensitive information but not as a core, large-scale activity. A DPO is unlikely to be legally required - but you must still have strong internal policies, appropriate processor terms and security measures.

Scenario 5: EdTech With Behavioural Profiling

Your platform tracks student engagement, location, device data and learning patterns across the UK to generate individual risk scores. This looks like regular and systematic monitoring at scale. Appointing a DPO is prudent and likely required.

If you’re on the fence, look at:

• How many people’s data you process and how often.
• Geographical reach and duration (one-off vs ongoing tracking).
• Whether the processing is core to your business (not just incidental).
• Types of data - special category/criminal data weighs heavily.

It’s wise to get tailored advice if you’re close to the threshold. A short data protection consultation can help you document a defensible decision - particularly useful if the ICO ever asks why you didn’t appoint a DPO.

If You Don’t Need A DPO, What Should You Do Instead?

Even if a DPO isn’t mandatory, you still have full UK GDPR obligations. In practice, SMEs often appoint a “data protection lead” (someone senior who oversees privacy) without calling them the DPO. That avoids the independence and conflict rules while ensuring accountability.

Key actions to take:

• Document your decision not to appoint a DPO and keep the rationale on file.
• Maintain core governance: Records of Processing, lawful bases, retention schedules and security measures.
• Adopt clear customer-facing notices like a compliant Privacy Policy and Cookies notice.
• Put the right contracts in place with vendors - if a supplier processes personal data for you, you’ll need a proper Data Processing Agreement with the UK GDPR’s mandatory clauses.
• Build a process for rights requests. Subject access requests usually have a one-month deadline - this guide on SAR response timescales is a helpful reference.
• Stay on top of marketing and cookies. Ensure you’re PECR-compliant and your banner gives real choices - this article on cookie banners that comply outlines practical steps.

If you’d like a set of tailored templates and policies, a bundled GDPR Package or a broader Data Protection Pack can be a cost-effective way to cover your bases.

How To Appoint And Work With A DPO (If You Need One)

If you determine a DPO is required, appointing them correctly matters.

Choose The Right Model

• Internal DPO: Works well if you have in-house expertise and can avoid conflicts. They must be independent and report to senior management.
• External DPO (outsourced): A practical option for SMEs. You contract a specialist who acts as your DPO; ensure the scope allows them to perform mandatory tasks and be reachable by the ICO and data subjects.
• Group DPO: One DPO can cover multiple group companies, but they must be easily accessible to each entity and understand local processing activities.

Formalise The Role

• Appoint in writing, define responsibilities, ensure they’re involved “in all issues relating to personal data”.
• Provide resources, training access and cooperation from all teams.
• Publish their contact details (e.g. privacy page) and supply them in your ICO registration.
• Protect against conflicts of interest - avoid giving the DPO operational decision-making over the purposes and means of processing.

Integrate Privacy Into Your Operations

Work with your DPO to embed data protection by design:

• Run DPIAs for high-risk projects and follow their advice.
• Train staff regularly and document attendance.
• Schedule audits and address findings with action plans.
• Review vendor contracts so every processor has a robust Data Processing Agreement in place.

Remember, appointing a DPO doesn’t transfer your accountability - the business remains responsible for compliance.

Common Mistakes, Myths And Compliance Traps

Myth: “All Organisations Must Appoint A DPO”

False. Only public authorities or organisations that conduct large-scale monitoring or large-scale special category/criminal data processing must appoint one. Many SMEs won’t meet the threshold - but you still need robust privacy governance.

Appointing The Wrong Person

Don’t make the person who decides how and why you process data (e.g. Head of Product, CTO, CMO) your DPO - that’s a conflict of interest. The ICO expects independence and the ability to challenge decisions.

“DPO” In Name Only

If you designate a DPO (even voluntarily), you must comply with the UK GDPR’s DPO rules. That means independence, access to resources, involvement in all relevant matters, and direct reporting lines. If you want a lighter-touch role, consider a “privacy lead” instead, but avoid calling them “DPO”.

Forgetting The ICO Basics

Most UK businesses that process personal data must pay the ICO data protection fee unless exempt. Check the rules and ICO fee exemptions that may apply to your business model.

Poor Vendor Controls

If a supplier handles personal data for you (hosting, email, analytics, fulfilment), you’re required to have mandatory processor clauses. Put a proper Data Processing Agreement in place and monitor their compliance.

Ignoring Transparency And Cookies

Make sure your Privacy Policy explains what you do in clear, plain English and that your cookie tools respect PECR (e.g. no non-essential cookies before consent; an easy “reject all” option).

Unprepared For Rights Requests

Build a playbook for access, deletion and objection requests with clear internal SLAs. Keep an eye on deadlines - the one-month timer for SARs starts when you receive the request.

FAQs: Quick Answers For SMEs

Does Every Organisation Need A DPO?

No. A DPO is mandatory only if you’re a public authority, you carry out regular and systematic monitoring of individuals on a large scale, or you process special category/criminal data on a large scale as a core activity. Many small businesses won’t meet those criteria.

What Counts As Large Scale?

There’s no single number. Consider the volume of data subjects, the range of data, the duration and frequency of processing and geographic coverage. Hospitals, nationwide platforms and sizeable adtech businesses are obvious examples; a microbusiness with a few thousand customers likely isn’t.

Can We Appoint An External DPO?

Yes. Outsourcing to an external DPO is permitted and often sensible for SMEs. Ensure they’re properly engaged, accessible to the ICO and individuals, and free from conflicts.

What If We Appoint A DPO Voluntarily?

If you choose to appoint a DPO even when it’s not required, the UK GDPR’s DPO rules still apply. If you want flexibility without those obligations, designate a privacy lead rather than a formal DPO.

Is The DPO Personally Liable For Breaches?

No - the organisation remains accountable for compliance. That said, the DPO must be allowed to operate independently and without penalty for doing their job.

Key Takeaways

• You must appoint a DPO if you’re a public authority, you conduct regular and systematic monitoring of individuals on a large scale, or you process special category/criminal data on a large scale as a core activity.
• Most small businesses don’t automatically need a DPO - but you still must comply with the UK GDPR and PECR, including clear transparency, consent where required, security and rights handling.
• If you don’t appoint a DPO, designate a privacy lead, document your decision, and implement strong governance, including a compliant Privacy Policy and appropriate Data Processing Agreements with suppliers.
• If you do need a DPO, ensure independence, expertise, adequate resources, and publish their contact details. A group or external DPO is fine if they’re accessible to your organisation.
• Prepare for data subject rights requests and marketing/cookies compliance - tools and processes matter, and this guide to cookie banners that comply and SAR deadlines will help.
• When in doubt, get tailored advice and record your rationale - a short data protection consultation can save you time, cost and risk later.

If you’d like help deciding whether you need a DPO - or putting the right documents and processes in place - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.