13 August 2025
What is a Data Protection Officer, and does your organisation need one?
The DPO requirement confuses a lot of organisations. Some appoint one when they don't need to; others don't appoint one when they should. Here's how to tell the difference.
Catenary Ltd
875 words · 5 min read
The Data Protection Officer is one of the more misunderstood roles introduced by the GDPR. A lot of organisations assume it's something they need, sometimes because they've been told so by a consultant with an interest in being appointed. Quite often, especially smaller organisations, genuinely need one but haven't appointed one.
Getting this right matters. Appointing a DPO when you don't need one isn't necessarily harmful, but it creates expectations and obligations. Not appointing one when you're legally required to is a compliance failure that the ICO takes seriously.
When is a DPO legally required?
The GDPR requires you to appoint a DPO in three specific situations:
1. You're a public authority or body. Almost all public sector organisations in the UK need a DPO. If you're a local authority, NHS trust, government department, or similar, this applies to you.
2. Your core activities require large-scale, regular, and systematic monitoring of individuals. This is primarily aimed at organisations whose business model involves tracking people, such as advertising networks, analytics companies or platforms that monitor user behaviour at scale. "Large-scale" and "regular and systematic" are key qualifiers: a small website with basic analytics almost certainly doesn't qualify.
3. Your core activities involve large-scale processing of special category data or criminal conviction data. Special category data includes health information, genetic and biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and sex life or sexual orientation. Criminal conviction data is handled separately. Again, "large-scale" is the qualifier. A GP practice processes health data, but a small practice is unlikely to be processing at a scale that triggers the DPO requirement.
For most small businesses and small non-profits, none of these conditions apply. A small charity that holds names and email addresses of supporters, or a small consultancy that holds client contact details and project files, does not need a DPO.
Where organisations get confused
The confusion usually arises in a few scenarios:
Non-profits handling sensitive data about service users. A charity supporting people with mental health conditions, or an organisation working with refugees or abuse survivors, may process significant amounts of health data or data about vulnerable people. This is worth examining carefully. The question isn't whether the data is sensitive, which in this case, it would be. The question to ask yourself is whether the processing is at sufficient scale and is sufficiently central to the organisation's purpose to trigger the DPO requirement. For many small charities, it won't be, but they should make the assessment explicitly and document their reasoning.
Organisations that process employee data. Processing HR data about your own staff generally doesn't trigger the DPO requirement, even if you have a substantial workforce. Employee monitoring is different. If you systematically track employee activity, that's closer to the "regular and systematic monitoring" category.
Organisations that feel they should have one. There's a certain kind of institutional anxiety that leads organisations to appoint a DPO because it feels like the responsible thing to do. This isn't necessarily wrong, but they should understand that they're appointing someone for best-practice reasons, not legal ones, and manage expectations accordingly.
What a DPO actually does
If you are required to appoint a DPO, or decide to do so voluntarily, it's important to understand what the role involves.
A DPO is not a compliance manager or a data protection administrator. The role is specifically about independent oversight. The DPO's job is to advise the organisation on its GDPR obligations, monitor compliance, provide advice on data protection impact assessments, and act as a point of contact for the ICO and for individuals exercising their data rights.
The independence is crucial. A DPO must be able to report directly to senior management and must not receive instructions about how to perform their tasks. This means a DPO can't be someone who also makes decisions about how data is processed, as this would present a inherent conflict of interest. Your head of IT or your legal counsel can't typically serve as DPO if they're also involved in data processing decisions.
A DPO can be a member of staff or an external appointment. For small organisations that do need one, an external DPO-as-a-service arrangement is often more practical than a dedicated employee.
If you don't need a DPO
Not needing a DPO doesn't mean you need nobody responsible for data protection. Someone in the organisation should own the compliance function — maintaining the records of processing activities, handling subject access requests, managing breach response, and keeping the privacy notice current.
This doesn't need to be a specialist role. In a small organisation it's often the CEO, operations manager, or whoever has the broadest administrative responsibility. What matters is that it's clearly someone's job, not everyone's vague responsibility.
If you're uncertain whether your organisation needs a DPO, or want help putting data protection governance in place without over-engineering it, get in touch.