Home / Appointing a data protection officer

Appointing a data protection officer

7th November 2025

What is a Data Protection Officer?

A Data Protection Officer (DPO) is the designated individual within an organisation who is responsible for monitoring, advising and organising compliance with UK GDPR and other data protection laws. They act as the main point of contact for data protection matters – both internally with staff and externally with the Information Commissioner’s Office (ICO).

Under Article 39 of the UK/GDPR, the DPO’s key responsibilities include:

Monitoring the organisations compliance with data protection laws, including its data protection policies and procedures, compliance infrastructure, organising staff training and raising awareness across the organisation;
Overseeing Data Protection Impact Assessments (DPIAs); and
Acting as a formal contact for the ICO and for individuals whose personal data is being processed by the organisation.

Importantly, the DPO is not personally liable for any non-compliance with data protection compliance – the organisation is legally responsible. To ensure impartiality, the DPO must be free from conflicts of interest.

When is a Data Protection Officer required?

Under UK GDPR appointing a DPO is required when the organisation is:

A public authority or body (e.g. Manchester City Council);
Where its core activities require large scale, regular and systematic monitoring of individuals (e.g. A company that operates CCTV systems across public transport); or
Where its core activities consist of processing any special categories of personal data on a large scale (e.g. NHS Trusts and large health care providers) or personal data relating to criminal convictions and offences.

An organisations “core activities” are essentially its primary business objectives. If you need to process personal data to meet these then the likelihood is that you will need to appoint a DPO.

Data which falls into “Special Categories” include anything involving racial or ethnic origin, sex, sexual orientation, personal health and/or political / religious beliefs.

Data processed on a “large scale” refers to handling significant volumes of personal data. For example, tracking passenger movements across Manchester’s tram network through bank cards.

The size of the company doesn’t matter– the requirement is based on the nature and scale of data processing, not the number of employees.

Even if your organisation isn’t legally required to appoint a DPO, doing so voluntarily can ensure compliance with data protection laws more generally.

How is a DPO appointed?

There are no formal qualification requirements that a DPO must have, but they must be independent, have an expert knowledge of data protection laws, be adequately resourced and report to the highest management level in the organisation.

You do not need to hire externally if there is already an employee of the organisation capable of carrying out a DPO’s role effectively, but it is imperative that they have the requisite knowledge of data protection laws. It can be more beneficial, particularly for smaller organisations, to outsource the DPO position to a specialist company.

Once a DPO has been appointed, an organisation must:

Publish the DPO’s contact details;
Notify the ICO; and
Make the DPO’s contact details easily accessible to staff (e.g. via intranet or internal directories).

How to assist your DPO?

Under Article 38 of the UK GDPR, organisations must support their DPO by:

Involving them in all data protection matters.
Provide adequate resources to enable its DPO to meet their UK GDPR obligations and maintain their expert level of knowledge.
Ensuring access to personal data and processing operations by the DPO is facilitated and maintained.
Facilitating regular reports to senior management on all issues concerning UK GDPR.
Allow the DPO to maintain its independence.

Final thoughts

Appointing and supporting a qualified DPO is a key part of demonstrating compliance with relevant data protection legislation. Failure to do so can have serious consequences such as financial penalties, regulatory action, reputational damage and legal liability.

For tailored advice or support with data protection, please contact our Commercial Team, who have experience guiding organisations through UK GDPR compliance.

Contributors: Imogen Unwin, Trainee Solicitor

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	This cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	1 year	This cookie is used to record your preferences for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-functional	1 year	The cookie records your preferences for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	1 year	This records your cookie preferences.
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-performance	1 year	This cookie is used to store your consent for cookies in the category "Functional".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	1 year	This cookie stores whether or not you have consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
MoneyPennyAgentAvatar	session	This cookie stores the agent image URL in order to show the agent avatar on the minimize state of our live chat function. If you disable this cookie, our live chat functionality may not be available to you
MoneypennyHistory	1 year	This cookie is used to keep track of the your visits to our website and last live chats. It displays the previous five live chat transcripts to the agent in the live chat to allow faster understanding of your conversation context, and faster resolutions.
MoneypennyHistory	1 year	This cookie is used to keep track of the your previous visits to our website and last live chats on our website. The cookie allows the chat transcripts from your five previous live chats to be displayed to your live chat agent in the chat to allow faster understanding of your needs and faster resolutions.
MoneypennyRef	2 hours	This cookie records origin and site entry to display the referring URL to the live chat agent so they can gain insight into your journey to our website. It helps our live chat agents deliver a better experience by giving them context. If you choose to disable this cookie, live chat will still be available.
MoneypennyUserAlias	1 year	This cookie stores the visitor alias (name) on use of the setUserName() Javascript API. This cookie is used to support subsequent live chats so that, once it is known, the live chat agent doesn’t need to collect the information again. This alias also will get displayed on the chat-box (as the visitor’s name), prechat form (as the value of the ‘name’ field, if it exists), and offline form (as the value of the ‘name’ field, if it exists).
MoneypennyVisit	session	This cookie is used to keep track of the your visits to our website and tells your live chat agent how many times you have visited our website. It is also used for the ‘returning visitor’ proactive chat rule, enabling returning visitors to be greeted differently. Failure to accept this cookie may impact performance of our live chat function.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether you use the new or old player interface.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-37750570-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow us to track your behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, this cookie stores information on how you use our website and also creates an analytics report of the website's performance. Some of the data that is collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 3 months 1 day 13 hours 11 minutes	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
yt.innertube::nextId	Persistent	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	Persistent	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements to you when either on Facebook or on a digital platform powered by Facebook advertising, after visiting our website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to you by tracking your behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how you use our website to present you with relevant ads according to your user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if your browser supports cookies.
YSC	session	YSC cookie is set by Youtube and is used to track your views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.