• Gdpr
  • January 28, 2022

Does My Business Need A Data Protection Officer?

One of the most common questions we receive from SMEs on the subject of data privacy and GDPR is “do we need a Data Protection Officer?”. 

There is no doubt that Data Protection Officers play an increasingly vital role in protecting UK businesses, so much so that demand for skilled staff to fill these roles has risen hugely over the past few years. Given the enormous fines levied on some organisations, it is easy to see why. Google was ordered to pay £43.2m in 2019, and British Airways were fined £20m in 2020 for breaches of data privacy law. It is not just big firms being impacted. A good number of fines in the region of £100,000 have been levied on SMEs.

In this article, we will explain whether your business is required to have a DPO and why hiring a Data Protection Officer can be a really good investment.

What are the roles and responsibilities of a Data Protection Officer (DPO)?

First, some background information. The UK’s Data Protection Act 2018, incorporated the General Data Protection Regulations (GDPR) rules that were agreed across the EU. 

The current UK GDPR deals with how personal data, e.g. information held on clients and employees, should be used and managed in a way that is (i) fair, (ii) lawful, and (iii) transparent. The GDPR specifies the role of a DPO and whether one is necessary by law.

The role of the DPO is to handle all issues relating to the protection of personal data;

  • explaining to those who control and process data within the organisation how to comply with the UK GDPR
  • monitoring compliance with the UK GDPR
  • providing advice on data protection impact assessments
  • cooperating with the supervisory bodies, e.g. the Information Commissioner’s Office - ICO
  • to act as a point of contact for the supervisory authorities

DPOs play a vital role in making sure that businesses remain compliant with data protection law at all times and avoiding any potential costly breaches. 

Do you need to employ a Data Protection Officer (DPO)?

A business should appoint a DPO where:

  • the processing is carried out by a public authority or body, except for courts;
  • the core activities of the controller or the processor, consist of regular and systematic monitoring of data subjects on a large scale
  • processing on a large scale of special categories of data and personal data relating to criminal convictions and offences 

Many businesses remain confused as to whether they still fall into the mandatory requirement for a DPO.  

To answer this, we need to clarify what is meant by ‘core activities’, ‘regular and systematic monitoring’, ‘large scale’ and ‘special categories of data’.  

‘Core activities’ refers to the ‘primary activities’ of a business, not the activities that all businesses have to perform, such as payroll and storing information on clients. For example, a law firm processing information relating to a legal case would be considered a primary activity.

A business will be considered to be involved in ‘large scale’ data processing where they are handling extremely large volumes,e.g. whereas a hospital would come under this definition, a local GP surgery would not. A business is considered to be carrying out ‘regular and systematic monitoring’ if they are processing lots of data for tracking and profiling,e.g. an online retailer using data to make recommendations to prospective clients. And finally, ‘Special categories’ may include sensitive data, including information on health, race, political opinions, or identity.

It is also important to monitor the situation over time, as even if you may not need a DPO now, you may need one in the future. For example, if you expand your operation or start processing personal data on a larger scale. For this reason, we recommend scheduling a regular review to ensure you remain compliant with the law or speak with a data protection lawyer.

Are you still unsure if you need a DPO?

The UK GDPR as it stands is still rather unclear, leaving many businesses unsure if they fall within the mandatory requirement for a DPO. If you are in this position, speak to one of LawBite’s expert UK data protection Solicitors, who will clarify your position. By asking questions about the use of personal data within your business, we can confirm if a DPO is needed. In addition, we can explain how to go about appointing a DPO and the type of training they will need.

Think of a DPO as an investment in your organisation, not a cost. Even if a DPO is not strictly necessary for your SME, hiring a person into this role will ensure that you do not fall foul of the laws on data privacy, and hence you will mitigate the risk of serious penalties. Another reason is that by investing in DPO, you are sending a strong signal to prospective clients and investors that you take the protection of data extremely seriously. This, in turn, will offer them significant reassurance that your SME is adhering to data privacy best practices at all times.

Here is a checklist to ensure you are compliant:

  1. review your business’s existing use of data - i.e. who are the ‘data controllers’ (those who determine if and why data needs to be processed) and a ‘data processors’ (those who process data on behalf of the controller) within your business, what data you hold, and how data is processed?
  2. assess whether a DPO is mandatory for your organisation - speak to a specialist in data protection law if you are unsure.
  3. appoint a DPO and ensure they receive the training, time, resources, and support they need to perform their role.

You can get legal assistance from LawBite

Still confused? LawBite has expert data protection lawyers who will be able to help you. They can advice you on the data protection rules you must follow and whether your business needs a data protection officer or not.

Book a free 15-minute consultation
with one of our expert data protection and GDPR lawyers or visit our GDPR compliance and training packages page to find out more.

Additional useful information

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • February 15, 2022
Data protection and privacy – Employer’s responsibilities

Data protection and privacy laws touch on almost every aspect of HR.  Employers must strike a fine balance in complying with the UK GDPR, Data Prot...

blog image
  • By LawBite Team
  • February 07, 2022
Earning user trust by prioritising data protection compliance

Protecting people's privacy is not only the right thing to do, but it is key in earning trust. In 2022, armed with the knowledge gained from the Ca...

blog image
  • By LawBite Team
  • January 28, 2022
Who Needs a Data Representative in the EU for GDPR Compliance?

Obtaining a GDPR Data Representative in the EU for GDPR compliance is an important consideration that you, as a business owner, must think about.  ...


LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free