You do not always have to appoint a data protection officer (DPO). In most cases, as a law practice, you will not have to. But you’ll need to make someone responsible for data protection.
You must document the reasons for your decision whether you decide to appoint a DPO or not.
You’ll need to check whether you need a DPO by evaluating how and why you process personal data against the criteria for appointing one.
When you must appoint a DPO
As a law practice you must appoint a DPO if you have to carry out:
- large scale, regular and systematic monitoring of people, for example online behaviour tracking
- large scale processing of sensitive (special category) data or data relating to crimes and criminal convictions
You can find out more about when to appoint a DPO on the ICO website.
Your practice – not your DPO – is responsible if you do not comply with GDPR.
Voluntarily appointing a DPO
You should consider voluntarily appointing a DPO if it would be the most effective way of complying with data protection rules.
If you do appoint one they’ll need to:
- have the right qualifications and skills
- meet all the requirements of a DPO (as set out in Articles 37 to 39 of the Regulation)
If you do not appoint a DPO
If you decide not to appoint a DPO you should nominate someone to be responsible for making sure your practice complies with data protection rules.
When to review your decision
You should regularly review your decision about appointing a DPO, particularly before:
- any change in the way you process data
- carrying out a data protection impact assessment (DPIA)
Role of DPO or nominated person
A DPO or the person nominated to be responsible for data protection needs to:
- tell you and your employees how to comply
- monitor how well you’re complying
- manage the practice’s activities
- raise awareness
- train staff
- carry out audits
- advise on and monitor DPIAs
- cooperate with the regulator
- be the first point of contact for the regulator and data subjects
Who to appoint
You can appoint a member of staff as a DPO – as long as they have the right qualifications and there’s no conflict of interest.
You can also appoint someone externally. They should have the same role as an internally appointed person.