Why ‘Data Protection Officer’ isn’t just a title

June 2025

How misunderstanding lingers about DPOs

When GDPR came into force more than seven years ago, it made it mandatory for certain organisations to appoint a Data Protection Officer (DPO) – certainly not all organisations. As a result there are more than 500,000 organisations with Data Protection Officers registered across Europe, according to IAPP research.

But even after so long, a good deal of confusion remains about which organisations need to appoint a DPO, and what the role actually entails. The DPO isn’t just a title you can dish out to whoever you choose.

When a DPO is mandatory

The law tells us organisations must appoint a DPO if you’re a Controller or a Processor and the following apply:

you’re a public authority or body (except for courts acting in their judicial capacity); or
your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

This raises questions about what’s meant by ‘large-scale’ and what happens if your organisation falls within the criteria above but fails to appoint a DPO. When it comes to interpreting ‘large-scale’ activities, the European Data Protection Board Guidelines on Data Protection Officers provide some useful examples.

Despite the previous Conservative government’s data reform proposals including the removal of DPO role and requirements, I should stress under the soon to be enacted Data (Use & Access) Act, these requirements remain unchanged.

What to do if it’s not mandatory to appoint a DPO

Many small to medium-sized organisations won’t fall within the set criteria for mandatory appointment of a DPO. For many organisations, their processing is neither ‘large scale’ nor particularly sensitive in nature.

The ICO tells us all organisations need to have ‘sufficient staff and resources to meet the organisation’s obligations under the UK GDPR’. So, if you assess you don’t fall under the mandatory requirement, you have a choice:

voluntarily appoint a DPO, or
appoint an individual or team to be responsible for overseeing data protection. You can take a proportionate approach, based on the size of your organisation and the nature of the personal data you handle.

The DPO’s position

Many organisations don’t realise the law sets out the DPO’s position and their specific responsibilities. If you have a DPO, their responsibilities are not optional or up for debate. The law tells us DPOs must:

report directly to the highest level of management
be an expert in data protection
be involved, in a timely manner, in all issues relating to data protection
be given sufficient resources to be able to perform their tasks
be given the independence and autonomy to perform their tasks

It’s worth stressing  appointing a DPO places a duty on the organisation itself (particularly senior management), to support the DPO in fulfilling their responsibilities. As you can see above, that includes providing resources, independence and autonomy.

Not just anybody can be your DPO. While they can be an internal or external appointment, and one person can represent several different organisations, steps should be taken to make sure there are no conflicts of interest. A CEO being the DPO, or the Head of Marketing might be obvious examples of where a conflict could easily arise.

The law sets out the DPO must perform their role in an independent manner. Their organisation shouldn’t influence which projects they should be involved in, nor interfere with how to execute their role. A DPO therefore needs to someone of character and resilience who can stand and will their ground, even in the face of conflict.

When it comes to being an ‘expert’, there’s a judgement call to make, as the law doesn’t specify particular credentials or qualifications. The level of experience and specialist skills can be proportionate to the type of organisation and the nature of the processing.

The tasks a DPO should perform

The formal set of tasks a DPO is required to perform are as follows:

inform and advise the organisation and its employees about their obligations under GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations.

It’s worth noting the DPO is an advisory role, i.e. to advise the organisation and its people. Their role is not to make decisions on the processing activities. There should be a clear separation between advisor and decision-maker roles. The organisation doesn’t need to accept the advice of their DPO, but the DPO probably should document when their advice was ignored. In many smaller organisations people may undoubtedly be spinning multiple plates and will need to do some (or plenty) of the ‘doing’ work.

monitor the organisation’s compliance with the GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively. This doesn’t mean a DPO has to write every data protection related policy, or stand up and deliver training.

advise on, and to monitor data protection impact assessments (DPIAs).

be the first point of contact for individuals in relation to data protection and for liaison with the ICO.

A DPO must also be easily accessible, for individuals, employees and the ICO. Their contact details should be published, e.g. in your privacy notice (this doesn’t have to include their name) and the ICO should be informed you’ve appointed a DPO.

A DPO shouldn’t be penalised for carrying out their duties (above). The ICO points out a DPO’s tasks cover all the organisation’s processing activities. Not just those which required a DPO to be appointed – such as ‘large scale processing of special category data’. However, the ICO accepts a DPO should prioritise and focus on more risky activities. ICO Data Protection Officer Guidance.

We’d always advise making sure a DPO’s responsibilities are clearly set out in a job description, to save any debate about the role. The management team and key stakeholders should also be briefed on the DPO’s legal role.

What’s clear is being a DPO requires many qualities, and a broad skill set, which we’ve written more about here: What does it take to do the job?

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.