Which employers are required to appoint a Data Protection Officer under the UK GDPR?

Under the UK General Data Protection Regulation (retained from EU Regulation 2016/679 EU) (UK GDPR), an employer must appoint a Data Protection Officer (DPO) if:

  • it is a public body;
  • its core activities consist of large-scale data processing that requires regular and systematic monitoring of individuals; or
  • its core activities consist of large-scale processing of special categories of data (ie sensitive personal data) or personal data relating to criminal convictions and offences.

The role of the DPO is to inform and advise the employer and its employees of their obligations under the UK GDPR and other applicable data protection laws and to monitor the organisation's compliance. It is therefore a position that should be independent of influence from the organisation and DPOs are protected from being dismissed or penalised for carrying out their duties. The DPO must report directly to the highest management level in the organisation. The role can be contracted externally or carried out internally by a member of staff, but the DPO's other tasks and responsibilities must not conflict with their duties as a DPO. A group of companies or public authorities can appoint a single DPO.