As part of GDPR Month with AllowList, we ask the question ‘Do we need a Data Protection Officer?’

As part of GDPR Month with AllowList, we ask the question ‘Do we need a Data Protection Officer?’

This week we have written a blog for the ALLOWLIST GDPR month. The question we get asked from many organisations and one which Lewis Hayes our head of compliance would like to tackle is ‘Do we need a Data Protection Officer?’

Although the guidance under the regulation may seem clear to some, to others the line can feel a little blurred. While having a Data Protection Officer (DPO) may not be ‘compulsory’, not having one creates a risk to any organisation that handles, processes or monitors personal data. A risk that few businesses can afford.

Under the GDPR, the appointment of a DPO is compulsory if you:

  • Are a public authority or body
  • Conduct regular or systematic monitoring of data subjects
  • Process special categories of data or criminal convictions on a large scale

And it’s those keywords that blur the lines, because…

How often is ‘regular’?
What constitutes ‘systematic’?
How large is ‘large’?

Well, the honest answer is that there is no right answer. It really does depend on your organisation, the sector you are in, the amount of effort you have made and the steps you have taken to protect your data subjects from a breach.

Why appoint a DPO?

This is why clients and businesses often chose to appoint a DPO. Even if it may not be compulsory for them, in doing so they can demonstrate to the ICO, their beneficiaries, their customers and their business partners that they have done everything they can to protect them. No system is perfect, all processes carry a degree of risk, and sooner or later, those processes can break down. The main principle of GDPR isn’t necessarily how successful you were in protecting data against all possible threats. It’s how hard you tried as a responsible stakeholder and business leader to protect the data to the best of your ability with the resources available to you.


That ability is where the DPO comes in. Under GDPR, your DPO needs to meet certain criteria; they need to be impartial, authoritative, unimpeded, constantly informed and educated in a wide number of disciplines. They also benefit from protected employment status, and it’s very hard to double down on responsibilities without breaking the conflict of interest requirement.

Getting those skills inhouse comes with a hefty price tag. Many organisations are now finding that they can make cost savings in recruitment, employment and retention by outsourcing the service to a qualified practitioner.

For more about Data protection as a service (DPO) please click here

We are recommended by the AllowList of trusted, rated and reviewed suppliers.

About the Author