You are here:
  1. Home
  2. Support services
  3. Practice management
  4. GDPR
  5. Appoint a data protection officer (DPO)

Appoint a data protection officer (DPO)

Posted: 5 August 2019

You do not always have to appoint a data protection officer (DPO). In most cases, as a law practice, you will not have to. But you’ll need to make someone responsible for data protection.

You must document the reasons for your decision whether you decide to appoint a DPO or not.

You’ll need to check whether you need a DPO by evaluating how and why you process personal data against the criteria for appointing one.

When you must appoint a DPO 

As a law practice you must appoint a DPO if you have to carry out:

  • large scale, regular and systematic monitoring of people, for example online behaviour tracking
  • large scale processing of sensitive (special category) data or data relating to crimes and criminal convictions

You can find out more about when to appoint a DPO on the ICO website.

Your practice – not your DPO – is responsible if you do not comply with GDPR.

Voluntarily appointing a DPO

You should consider voluntarily appointing a DPO if it would be the most effective way of complying with data protection rules.

If you do appoint one they’ll need to:

If you do not appoint a DPO

If you decide not to appoint a DPO you should nominate someone to be responsible for making sure your practice complies with data protection rules.

When to review your decision

You should regularly review your decision about appointing a DPO, particularly before:

Role of DPO or nominated person

A DPO or the person nominated to be responsible for data protection needs to:

  • tell you and your employees how to comply
  • monitor how well you’re complying
  • manage the practice’s activities
  • raise awareness
  • train staff
  • carry out audits
  • advise on and monitor DPIAs
  • cooperate with the regulator
  • be the first point of contact for the regulator and data subjects

Who to appoint

You can appoint a member of staff as a DPO – as long as they have the right qualifications and there’s no conflict of interest.

You can also appoint someone externally. They should have the same role as an internally appointed person.

You can read more about DPOs on the ICO website.

> Next section: Consent

Recommended

New frontiers in DP
New frontiers in data protection conference

Half-day conference on 26 September, where expert speakers will explore major DP challenges for solicitors, identify new technology danger spots, practical advice on mitigating risk and more topics of interest.

New frontiers in data protection conference > More