Where a Data Protection Officer (‘DPO’) is required under the GDPR, or where a business decides to appoint a voluntary DPO, there are certain requirements under the GDPR regarding the qualities and authority of the DPO, as well as the roles and responsibilities to be undertaken by the DPO.


A DPO has to be appointed where your organisation:

  • is a public authority (other than courts acting in their judicial capacity);
  • carries out large scale regular and systematic monitoring of individuals (for example, online behaviour tracking); as part of its core activities (i.e. key operations necessary to achieve the controller’s or processor’s goals); or
  • carries out ‘large scale’ processing of special categories of data (mainly sensitive personal data) or data relating to criminal convictions and offences. ‘Large scale’ is said to include large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk.

Where an organisation feels it does not need to appoint a DPO under these rules, and chooses not to do so, it should record the reasoning behind such a decision to justify why it believes it falls outside the above types of organisation.

Any organisation which falls outside the above categories may, however, still choose to appoint a dedicated DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. Where a dedicated DPO is appointed, the rules governing the roles and responsibilities of the DPO will apply to that voluntary role in the same way as to those DPOs mandatorily appointed.


There is no specific list of qualifications or credentials specified in the GDPR that a DPO should possess, but it does state that a DPO should be a person of high integrity, professionalism and have ‘expert knowledge of data protection law and practices’, and should have both the authority and knowledge of data protection laws to be able to carry out his or her duties. Further, the DPO’s expertise should not conflict with the data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.

So, a DPO can be selected from an organisation’s current staff, or could be an external appointment. Further, depending on the circumstances, the DPO role might not need to be the full-time responsibility of the DPO, provided the DPO’s role is not compromised by or in conflict with his/her other duties for the organisation.

It is also possible for the DPO to act in the same role for more than one organisation, as long as the roles are not in conflict, and provided the DPO is easily accessible for each organisation and is able in practice to carry out the required duties for each organisation.


DPOs must either be part of, or report to the Board of the relevant organisation, and they must be given appropriate authority and support to enable them to function effectively in carrying out their roles. They should be involved in projects that involve personal data issues from the earliest stages and role will effectively be to champion best practice with regard to the protection of personal data by the organisation.

The duties of the DPO will include:

  • Educating management and staff on important compliance requirements
  • Training all relevant staff on safeguarding personal data and ensuring compliance with the GDPR
  • Conducting audits to ensure compliance and address potential issues proactively
  • Serving as the point of contact between the company and the ICO (or other relevant Supervisory Authority), including being responsible for reporting data breaches and cooperating with the ICO
  • Regularly auditing and monitoring performance and providing advice on the impact of data protection efforts
  • Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities

Ensuring data subjects are aware of and, where appropriate consent to, how their data is being used, their rights to erasure, portability and access, and what measures the company has put in place to protect their personal information.