Updated

Guide

Appointing a data protection officer (DPO) – guide for law practices

02 Oct 2025

1 minute read

You do not always have to appoint a data protection officer (DPO). In most cases, as a law practice, you will not have to. But you’ll need to make someone responsible for data protection.

Whether you decide to appoint a DPO or not, you must document the reasons for your decision.

You’ll need to check whether you need a DPO by evaluating how and why you process personal data against the criteria for appointing one.

When you must appoint a DPO

As a law practice you must appoint a DPO if you have to carry out:

large scale, regular and systematic monitoring of people. For example, online behaviour tracking
large scale processing of sensitive (special category) data or data relating to crimes and criminal convictions

Read the Information Commissioner's Office (ICO) guidance on when to appoint a DPO.

Your practice – not your DPO – is responsible if you do not comply with GDPR.

Voluntarily appointing a DPO

You should consider voluntarily appointing a DPO if it would be the most effective way of complying with data protection rules.

If you do appoint one they’ll need to:

have the right qualifications and skills
meet all the requirements of a DPO (as set out in Articles 37 to 39 of the UK GDPR)

If you do not appoint a DPO

If you decide not to appoint a DPO you should nominate someone to be responsible for making sure your practice complies with data protection rules.

When to review your decision

You should regularly review your decision about appointing a DPO, particularly before:

any change in the way you process data
carrying out a data protection impact assessment (DPIA)

Role of DPO or nominated person

A DPO or the person nominated to be responsible for data protection needs to:

tell you and your employees how to comply
monitor how well you’re complying
manage the practice’s activities
raise awareness
train staff
carry out audits
advise on and monitor DPIAs
cooperate with the regulator
be the first point of contact for the regulator and data subjects

Who to appoint

You can appoint a member of staff as a DPO as long as they have the right qualifications and there is no conflict of interest.

You can also appoint someone externally. They should have the same role as an internally appointed person.

The ICO has more information about DPOs.

Save to bookmark

Print

Data protection

Online Learning

GDPR and information technology

Go to online learning

Books

Compliance and Ethics in Law Firms

Online Learning

Introduction to GDPR for COLPs and DPOs

Go to online learning

Related articles

Can the deadline for a subject access request be extended?

I've received a subject access request from a client. I’m going to struggle to comply with the UK GDPR response deadline because of the large volume of documents. Can the deadline be extended?

Changes to GDPR – what solicitors need to know

Parts of the UK GDPR have been changed and replaced by the Data (Use and Access) Act 2025. Find out what this means for your legal practice and what you need to do to stay compliant.

Consent form: Access to client health records

Consent form to be used for the release of health records under the GDPR and the Data Protection Act 2018.