The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Whether to appoint a DPO

If it is necessary to appoint a DPO under Article 37 of the UK GDPR, your organisation makes sure that the DPO’s role is adequately supported and covers all the requirements and responsibilities.

Ways to meet our expectations:

  • The DPO has specific responsibilities in line with Article 39 of the UK GDPR for data protection compliance, data protection policies, awareness raising, training and audits.
  • The DPO has expert knowledge of data protection law and practices.
  • The DPO has the authority, support and resources to do their job effectively.
  • If your organisation is not required to appoint a DPO, you record the decision.
  • If your organisation is not required to appoint a DPO, you appropriately assign responsibility for data protection compliance and you have enough staff and resources to manage your obligations under data protection law.

Can you answer yes to the following questions?

  • Could your DPO explain their responsibilities and how to carry them out effectively?
  • Does your DPO feel supported in their role?