Appointing a data protection officer (DPO) – guide for law practices

You do not always have to appoint a data protection officer (DPO). In most cases, as a law practice, you will not have to. But you’ll need to make someone responsible for data protection.

Whether you decide to appoint a DPO or not, you must document the reasons for your decision.

You’ll need to check whether you need a DPO by evaluating how and why you process personal data against the criteria for appointing one.

When you must appoint a DPO

As a law practice you must appoint a DPO if you have to carry out:

  • large scale, regular and systematic monitoring of people. For example, online behaviour tracking
  • large scale processing of sensitive (special category) data or data relating to crimes and criminal convictions

Read the Information Commissioner's Office (ICO) guidance on when to appoint a DPO.

Your practice – not your DPO – is responsible if you do not comply with GDPR.

Voluntarily appointing a DPO

You should consider voluntarily appointing a DPO if it would be the most effective way of complying with data protection rules.

If you do appoint one they’ll need to:

If you do not appoint a DPO

If you decide not to appoint a DPO you should nominate someone to be responsible for making sure your practice complies with data protection rules.

When to review your decision

You should regularly review your decision about appointing a DPO, particularly before:

Role of DPO or nominated person

A DPO or the person nominated to be responsible for data protection needs to:

  • tell you and your employees how to comply
  • monitor how well you’re complying
  • manage the practice’s activities
  • raise awareness
  • train staff
  • carry out audits
  • advise on and monitor DPIAs
  • cooperate with the regulator
  • be the first point of contact for the regulator and data subjects

Who to appoint

You can appoint a member of staff as a DPO as long as they have the right qualifications and there is no conflict of interest.

You can also appoint someone externally. They should have the same role as an internally appointed person.

The ICO has more information about DPOs.