Yes, you can. The GDPR is explicit on this point. In many ways, it is the best solution because it guarantees independence, you can rely on subject matter knowledge being the best, and it is very cost-effective.

Yes, you can. However, you must be careful that there are no conflicts of interest. For example, the IT Director would not be the best person to take an objective view of system security, and the Marketing Director will be under pressure to create new methods of communication. Also, it is Murphy's law that if the Marketing Director is the DPO, then the data breach will be six weeks before Christmas when his focus is on maximising sales over this period, or if it's the Finance Director the problem will happen just as the financial auditors walk through the door.

No. It is all about the amount of data you process, the type of data you process, or how often you process personal data.

Every organisation, including sole proprietorships, is required to hire at least one person, as a Data Protection Officer, who is responsible for making sure that the organisation complies with the Data Protection Act. 

Organisations must ensure that at least a single DPO's business contact information is available to the public. It can be a general telephone or email address of the organisation.

The DPO can be someone whose work scope entirely relates to data protection. It can also be a person in the organisation who can take multiple responsibilities and fulfil them wisely. Compliance from an organisation with the DPA remains the responsibility of the organisation notwithstanding the appointment of the data protection officer.


An organisation stands liable for even a single piece of personal data in its possession. This is related not only to employees' data but personal data of other people such as clients or shareholders. The DPA needs an organisation to hire an individual to be responsible for ensuring compliance with the DPA.

Your Company will be responsible for assuring compliance with the DPA as far as it is kept on collecting, using and disclosing personal data, or has personal data in its possession or control. 

When the online submission is successful, they will send an acknowledgement email on the provided email address. If you don't receive the acknowledgement email, do check your spam folder. 

The does not make it obligatory to inform the ICO of your DPO's details. This will assist DPOs to keep abreast of relevant personal data protection developments.

No, it does not include any fee to register a DPO.

No, there is no need for a company undergoing liquidation to register a DPO.

A dormant company with no business operations need not register its DPO.

The provisions of the DPA came into force on 2 July 2014 and required organisations to designate at least one individuals to be accountable for ensuring compliance with the DPA. If your Company is handling personal data, you should appoint at least one individual as the DPO. 

GDPR says you have to appoint a DPO if:

  • You are a public authority or body (excluding court personnel).
  • Your main activities require large scale, regular and systematic monitoring of individuals.
  • Your activities depend on large scale processing of special categories of data or data relating to criminal convictions and offences.

This is applicable for both controllers and processors. You can appoint a DPO on your wish, even if it is not required to. If you decide to appoint a DPO voluntarily, you must know that the same requirements of that position and tasks apply makes the appointment compulsory.

No matter GDPR makes it essential for you to appoint a DPO, you have to assure that your Company possesses sufficient staff with resources to exempt you from GDPR obligations. Further, a DPO helps organisations to operate within the law. He advises and helps companies to monitor their compliance level. In this way, a DPO plays a crucial job in your organisation's data protection governance structure by helping accountability.

If you are not planning to hire a DPO, neither voluntarily nor because you don't meet the criteria, that would be a good idea to record this decision to help demonstrate compliance with the accountability principle.

  • The GDPR says that a DPO must have an experience and expert knowledge of data protection law.
  • It doesn't specify the correct credentials which they have, but it depends on the type of processing an organisation carries out.
  • So, where the processing of personal data is particularly complex or risky, the knowledge and abilities of the DPO should be correspondingly advanced enough to provide adequate oversight.
  • It would be an advantage for your DPO to also have a good knowledge of your industry or sector, as well as your data protection needs and processing activities.

The GDPR says yes for that, but further tasks and duties, must not result in a conflict of interests with the DPO's core responsibilities.

You can externally contract out the role of DPO. It must be based on a service contract with an organisation or an individual. It's essential to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.

  • You may appoint a single DPO to act for a group of companies or public authorities.
  • If your DPO covers several organisations, they must still be able to perform their tasks effectively, taking into account the structure and size of those organisations. This means you should consider if one DPO can realistically cover a large or complex collection of organisations. You need to ensure they have the necessary resources to carry out their role and be supported by a team if this is appropriate.
  • Your DPO must be easily accessible, so their contact details should be readily available to your employees, to the ICO, and people whose personal data you process.
  • The GDPR provides that an organisation must appoint a single DPO to carry out the tasks required in Article 39, but this doesn't prevent it selecting other data protection specialists as part of a team to help support the DPO.
  • You need to determine the best way to set up your organisation's DPO function and whether this necessitates a data protection team. However, there must be an individual designated as the DPO for the GDPR who meets the requirements set out in Articles 37-39.
  • If you have a team, you should set out the roles and responsibilities of its members and how it relates to the DPO.
  • If you hire data protection specialists other than a DPO, they mustn't be referred to as your DPO, which is a specific role with particular requirements under the GDPR.

You must ensure that:

  • The DPO is involved, firmly in every single matter of the data protection.
  • The DPO reports to the highest management level of your organisation, ie board level;
  • the DPO operates independently and is not dismissed or penalised for performing their tasks;
  • you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
  • you give the DPO proper access to personal data and processing activities;
  • you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
  • you seek the advice of your DPO when carrying out a DPIA; and
  • you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organisation and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn't mean the DPO has to be line managed at this level, but they must have direct access to advising senior managers who are making decisions about personal data processing.

The GDPR requires you to:

  • Publish the contact details of your DPO; and
  • Provide them to the ICO.

There is no need to include the DPO's name while publishing his contact details. However, you can select to provide this if it's necessary or helpful for you.

In the following circumstances you ought to provide your DPO's contact details in these circumstances:

  • When consulting the ICO under Article 36 about a DPIA; and
  • When giving privacy information to individuals under Articles 13 and 14.

Many organisations take outsourcing as a more cost-effective rather hiring in-house or a full-time DPO. Many organisations do not have anyone with the required expert knowledge of UK and EU data protection law and practices, which is sufficiently independent of decision making within the organisation. Avoiding such internal conflicts of interest is an essential requirement of GDPR.

Article 39 of GDPR contains an inventory of the minimum tasks must be fulfilled by the Data Protection Officer. The primary task is to monitor the level of compliance of an organisation in accordance with the law and regulatory requirements. Fundamentally, the DPO informs and advises the Data Controller, Processor and Board on data protection issues which include the protection of personal data, assignment of responsibilities, awareness-raising and training of staff. 

Not personally but, the DPO is responsible for advising the data controller and processor on how to ensure that their organisations achieve compliance.

GDPR states that the following requires a DPO: 

  1. Public authorities or bodies. This incorporates organisations which are subject to the Freedom of Information Act in England and Wales and the Freedom of Information (Scotland) Act in Scotland.
  2. Also Organisations whose core activities comprises of processing data of special categories such as personal data showing race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and lastly, the data which relates to large scale criminal convictions or violations.
  3. If an organisation's core activities need regular and systematic monitoring of data subjects on a large scale.

The DPO must report to the higher management and have access to the Board to make recommendations.

Yes, as long as it is processing personal data of EU citizens and its Company requires a DPO following GDPR (Article 37). 

Yes, if your data subjects belong to the EU and as directed in GDPR (Article 3). 

The DPO can be an existing employee; however, it can also be shared jointly amid organisations. However, according to a requirement, the DPO have to be independent that is to avoid conflicts of interest or even when a full-time DPO is not required, outsourcing the DPO function is a cost-effective option.