This web site uses cookies. You are free to manage your cookie settings in your web browser at any time. For more about how we use cookies, please read our data privacy policy.

When should you appoint a Data Protection Officer?

When should you appoint a Data Protection Officer?

When should you appoint a Data Protection Officer?

by Jim Ashton | Nov 22, 2017


This blog entry is for people who are still unsure about whether their organisation should, or should not appoint a Data Protection Officer.

Click here if you want to take a simple self-check test. The questions are formulated from the text in the GDPR's Data Protection Officer articles..

Purpose of this document

This document sets out the guidelines for determining the need to appoint a Data Protection Officer.Click here if you want to take a simple self-check test.


  • DPO: Data Protection Officer, a named and accountable person in your organisation

Use our knowledge base to learn more.

When should you appoint a Data Protection Officer?

Before getting into the topic, I'd like to thank Bishopsgate Financial and its owner Mike Hampson for putting me forward to speak about when you should appoint a Data Protection Officer at this week's GDPR Summit held in London on November 20th.

When should you appoint a Data Protection Officer

Mike and I go back a long way and we have now teamed up to deliver a proven and verifiable GDPR solution that demonstrates the GDPR required organisational and technical measures for compliance using a GDPR framework operating model that is 100% traceable back to the GDPR.

The event was well attended. From the results of survey questions at the end of each of the day's sections, it looked like most attendees were in the initial stages of a GDPR implementation and some hadn't started.

My section at the GDPR Summit

The title of the section I was selected to speak about was:"When should you appoint a Data Protection Officer (DPO)?".

A few set questions were asked and then the GDPR Summit attendees were given the floor to ask questions.

The question that seemed to be of most interest was "how do I know if I need to appoint a data protection officer?".

This is a question answered by three criteria in the GDPR's Article 37.

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

In plain English this means that the following need to appoint a DPO:

  1. public authorities/bodies except for courts
  2. any organisation with large scale processing the personal data
  3. any organisation with large scale processing of special categories (including criminal information)

The next question is "how big is large scale?". The answer is open to interpretation. The European Commission interprets this as being any enterprise over 250 employees. The European Parliament interprets this as those processing the personal data of over 5,000 data subjects in any 12-month period. The GDPR Article 29 working party in its publication Guidelines on Data Protection Officers says an example of large scale is "processing of customer data in the regular course of business".

Core processing does not include HR or other support functions used for your organisation's administration.

The fail-safe position is to appoint a DPO. If you genuinely think that you don't need a DPO, you will have to justify why in your personal data privacy policy.

Get more details about the Data Protection Officer's role

My company has a document detailing more about DPOs. It covers:

  1. What is a Data Protection Officer?
  2. The Data Protection Officer's Primary Duties
  3. DPO selection criteria
  4. The appointment of a Data Protection Officer
  5. Named Data Protection Officer
  6. Protected role, reporting and confidentiality
  7. Permanent or outsourced role
  8. Executive support
  9. DPO tasks and obligations
  10. Implementing Policies and Procedures

The document is part of a 14-component set of templates, policies and procedures that will help you evidence the organisational and technical measures required to comply with the GDPR.

If you would like a copy, contact us and, along with your message, type "DPO details" into the "Message Detail" box.

All the best and good luck with your GDPR implementation.

 Share article

More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?