Contact us

Do I need a DPO?

A guide for organisations processing personal data

The EU and UK GDPR contain a requirement for certain organisations to appoint a data protection officer (DPO). A good DPO is fundamental for the success of an organisation, bringing an organised, efficient and most importantly, expert approach to data protection compliance which will free up time and resources for your organisation to focus on other commercial objectives without worrying about data protection compliance.

What is a DPO?

A DPO is an individual or entity which is responsible for a number of data protection related tasks within an organisation. At HelloDPO, your DPO will: 

  • Inform and advise the organisation about its compliance obligations and how to meet them under the GDPR.
  • Monitor compliance with the GDPR, AI, and internal policies, including the assignment of responsibilities, awareness-raising, training individuals involved in the processing of personal data and undertaking monitoring and audits to demonstrate compliance.
  • Provide data protection and privacy advice, and where required, advice in relation to data protection impact assessments and AI risk assessments.
  • Be the point of contact for data protection authorities such as the UK Information Commissioner’s Office.
  • Provide advice and support on personal data breaches and data subject rights’ requests.
  • Be the point of contact for individuals internally and externally at your organisation, for other third parties and for data protection authorities.

DPOs are also independent and report to the highest level of the board and their role includes preparing and inputting into board reports and other risk management reporting. 

Do we need a DPO?

The GDPR requires organisations to appoint a DPO if any of the following apply:

  1. The organisation is a public authority or body;
  2. As part of its core activities the organisation monitors individuals regularly and in a systematic way on a large scale, for example,they undertake tracking and monitoring of individual’s behaviour on the internet or via the use of CCTV; or
  3. As part of its core activities the organisation processes large volumes of special category data (which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person’s sex life or sexual orientation) or criminal offence data.

The concept of “large scale” is not specifically defined in the GDPR nor in regulator guidance, but you will need to consider the following factors when deciding if you need to appoint a DPO:

  • the number of individuals whose personal data is being processed;
  • the volume of personal data processed;
  • the type of personal data;
  • the duration of the processing i.e. is this one off or ongoing over a period of time; and
  • the geographical extent of the processing i.e. where is this happening.

Even if you don’t have to appoint a statutory DPO under the GDPR, you can choose to appoint a voluntary DPO. If you decide to voluntarily appoint a DPO, you should be aware that the statutory requirements set out in the GDPR will apply to the voluntary DPO in the same way as if a statutory DPO appointment was triggered. These responsibilities include the requirement for the DPO to act independently, to fulfil the duties set out in the GDPR and to be provided with adequate resources to fulfil those duties.

If you handle large volumes of data or you undertake complex processing, having a DPO could help you improve your data protection compliance and will provide a dedicated point of contact for data subjects and data protection authorities for any data protection matters.

What if we decide we don’t need to appoint a DPO?

If you decide you are not caught by the requirements set out in the GDPR to appoint a statutory DPO, you do not need to appoint one. However, it is important that you are confident in your assessment as, if a DPO is not appointed when one is required, this will be a breach of the GDPR, which could lead to a fine of up to 2% of annual global turnover or about £8.5 million/€10 million, whichever is greater. You should carefully document your decision not to appoint a DPO in writing as evidence of your thought process so you can justify this to a data protection authority if necessary should this be challenged.

What are the benefits of outsourcing the role of the DPO to HelloDPO?

Whilst you can appoint an in-house DPO, there are clear benefits to appointing HelloDPO as your outsourced DPO:

  • Independence – As we don’t work in your organisation , it is much easier for us to take a balanced, independent look at the data protection challenges you face. Many internal DPOs that we speak to say they can feel conflicted between their duties as a DPO and the other elements of their role, something which the GDPR requires organisations to avoid. 
  • Resource – The GDPR requires organisations who appoint a DPO to ensure the DPO has necessary resources to complete their tasks. Rather than risk overstretching your current team, we can provide dedicated resources to tackle data protection issues.
  • Expertise – The GDPR requires a DPO to have expert knowledge of data protection law and practices. At HelloDPO we work with clients across many sectors and have a team that is experienced in a wide range of data protection issues. This means we can get to the heart of issues quickly and provide simple, commercial and effective privacy advice. We can also provide organisations with the opportunity to benchmark what they do against other organisations in a similar sector or of a similar size. We bring a different perspective to the table and provide you with the confidence that you are handling a matter, for example a data breach or a data subject access request, in the way that a regulator would expect.

Can you help me to make the decision about appointing a DPO?

Yes! You can either download our GDPR toolkit, which contains a number of documents designed to get you started on your compliance journey (including our DPO assessment template) or you can get in touch by emailing hello@hellodpo.com and we can carry out a tailored DPO assessment for you.

FAQs

Who should be our DPO?

A DPO should be someone with:

  • Expert knowledge of data protection law and practices in line with the nature and sensitivity of the data processing undertaken
  • The ability to operate independently without conflicts of interest.
  • The ability to fulfil the tasks of the DPO – someone with integrity, whose focus is to ensure compliance with the GDPR and who has a position in the organisation which will allow them to properly fulfil their tasks

They cannot be in a role that determines how data is processed (e.g. Marketing Director) because that would create a conflict of interest.

Yes, failure to appoint a DPO where you are required to do so under GDPR would be a breach of the GDPR and could attract an administrative fine of up to EUR 10 million/£8.7 million or 2% of global turnover, whichever is higher. Failing to appoint a DPO can also expose you to greater risk of fines generally if this leads to a failure to properly manage your responsibilities under GDPR.

Yes, a group of companies can appoint a single DPO as long as the DPO can effectively carry out their tasks across the different businesses.

There is no industry-wide exemption. The requirement to appoint a DPO depends on the nature of your processing, not your sector.
As mentioned in the information above you must appoint a DPO if:

  • You are a public authority or body (except courts acting judicially).
  • Your core activities involve regular and systematic monitoring of individuals on a large scale.
  • Your core activities involve large-scale processing of special category data or data about criminal offences.

This applies to both controllers and processors.

Share:

Facebook
X
Pinterest
LinkedIn

Related Resources

The DUA Act 2025 at a glance

In our in-depth review of the Data (Use and Access) Act 2025, we’ve distilled its key data protection provisions into clear, actionable insights for professionals

Read More »
August 12, 2025

Do I need a DPO?

Find out if your organisation needs to appoint a data protection officer, learn what a DPO does and the advantages of outsourcing this role to HelloDPO.

Read More »
August 12, 2025
Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4