• Singapore
  • Hong Kong
  1. Osome Blog UK
  2. Does My Company Need A Data Protection Officer?

Does My Company Need A Data Protection Officer?

Although protecting an individual’s data and privacy is important, many business owners are wondering if it is really necessary to appoint a Data Protection Officer for their company. Furthermore, with the UK government exiting from the EU, some entrepreneurs of businesses registered in the UK are also wondering about the revised data protection law.

In this article, we will share about the changes of GDPR and what regulation applies to your business, the roles and responsibilities of a Data Protection Officer, and the importance of appointing one.


Previously, data protection laws in the UK were governed by EU General Data Protection Regulation (GDPR). This means, companies would follow EU GDPR during their collecting, using and processing of data. However, as the UK exited from the EU in January 2021, EU GDPR will no longer apply to the UK companies. Instead, EU GDPR has been incorporated into the UK data protection law, which is also known as UK GDPR.

If your company operates inside the UK and collects data of a UK citizen, you will need to comply with the UK GDPR. But if your company collects and processes data of EU citizens, you will need to comply with EU GDPR.

What Is a Data Protection Officer?

A data protection officer (DPO) is an independent data expert who oversees the security of personal data provided by the consumers and data protection regulations. In other words, a DPO is someone who safeguards precious personal information from external cyber attack and misuse of data. They are the ones who ensure that consumer’s personal data is not compromised.

What Are The Roles And Responsibilities Of A Data Protection Officer?

A DOP is usually in charge of the following tasks:

  1. Inform and advise the company and the staff about the obligations to comply with the UK GDPR and other data protection laws.
  2. Monitor internal compliance with the UK GDPR and other data protection laws.
  3. Manage internal data protection activities.
  4. Raise awareness among staff about data processing and ensure that they comply with the UK GDPR.
  5. Conduct internal audits to ensure compliance and raise potential data protection issues proactively.
  6. Provide advice and monitor the Data Protection Impact Assessments (DPIAs).
  7. Serve as the first point of contact for the Information Commissioner’s Office (ICO) and individuals whose data is being processed.

Likewise, a DPO needs to understand the risk of processing sensitive data while carrying out the above tasks.

When Do I Need To Appoint A Data Protection Officer?

Under the UK GDPR, it is mandatory to appoint a Data Protection Officer if your company falls within these categories:

  • A public authority or body
  • Your core activities require large scale, regular and systematic monitoring
  • Your core activities consist of large scale processing of special categories of data and data relating to criminals offences

A public authority refers to the following:

  • Government departments
  • Local government (such as councils)
  • National Health Service
  • Maintained schools and higher education sector
  • Police

Likewise, a public body refers to companies that are owned by the Crown or the wider public sector. If a company that is owned by both the Crown and the wider public sector, it is also considered as a public body.

What Is Considered As Core Activities?

Core activities are defined as the primary business activities of your company. There are companies that require processing of personal data in order to achieve their key objectives.

Tim works in a cooking school that provides cooking and baking lessons to the public. The school collects personal data of students who have signed for lessons. However, they use and process these data to recommend other new lessons to them or share it with third party vendors such as a food & beverage company. These personal data are considered as core activities, as it helps to drive revenue to their cooking school.

A pharmaceutical company processes a special data of the customers who have attended a clinical trial. These special data comprises their health, race, religion and sexual orientation. This can be considered as processing special data on a wide scale.

My Business Is A Small And Medium Enterprise (Sme). Do I Still Need To Appoint A DPO?

It is not mandatory for small and medium size enterprise businesses to appoint a DPO. However, that doesn’t mean they shouldn’t. Though it’s not required under UK GDPR, you may voluntarily do so. Many small and medium size enterprise businesses might not have set aside a budget for a DPO, and believe it is not necessary. But there are many benefits in appointing a DPO. The appointed officer is able to advise you on data processes and raise any potential misuse of data. As more people are sharing their personal data online and instead of getting worried about data being compromised, a DPO will ensure these personal data are protected according to the regulations.

If you have questions about appointing a DPO for your company or want to find out more, drop us a line and we are happy to chat with you!

What Kind Of Qualification Should A Data Protection Officer Possess?

Under the UK GDPR, it doesn’t specify the qualification a DPO should possess. However, a DPO should have the following:

  1. Have experience and expert knowledge of the UK GDPR and other European data protection law.
  2. Able to handle high sensitive data and anticipate any potential issue arising from these data.
  3. Possess a good knowledge of the company’s industry, data protection needs and processing of core activities.

Who Can Be My Company’s Data Protection Officer?

An existing staff member of your company who possesses the knowledge of UK GDPR and able to handle the data collected can be a DPO. For small and medium businesses where there might be a shortage of staff who are trained in this aspect, it is common for them to outsource the role of DPO externally. And that is perfectly fine too. What is more important is that the tasks and the duties must be the same as the one given to an existing staff.

What Information Should I Publish About My Data Protection Officer?

After appointing a DPO for your company, you will need to publish the contact details of your DPO. The purpose of releasing this information is to enable the public and ICO to contact your DPO if they face any issue regarding their personal data.

Will I Be Penalised If My Company Decides Against Appointing A Data Protection Officer?

Perhaps, after some deliberation, your company may have decided not to appoint a DPO either voluntarily or you do not fit the requirements. Under the UK GDPR, there is no penalty if you have decided not to. However it is advisable to record the decision that you have decided not to appoint a DPO as a way to demonstrate your compliance to the regulations.

The Importance Of Appointing A Data Protection Officer

As companies rely on digital technology and personal data to operate their businesses smoothly and effectively, it runs the risk of getting this important information being compromised. Although UK GDPR only requires companies that are a public authority or body to appoint a DPO, it is likely SME companies will soon have to appoint a DPO. This is due to the nature of the data processed and the core activities that the company handles. Companies might handle sensitive personal data at some point during their business transactions. Therefore, it is important to appoint a DPO to oversee your company’s data protection activities. With a DPO, the appointed person is able to review the existing data protection practices and update the processes periodically.


As you can tell, DPO plays an important role in companies today by monitoring internal compliances. Likewise, it is not the size of the companies that matters. What’s important is the amount of data and the scope of activities that the company processes. If you have more questions on how Brexit is affecting your business in the UK, we’ve put together a concise guide of everything you need to know.

Share this post:

Tips to run your business smarter.
Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

You might like it

Running My Business

How the Increase In National Insurance Contribution Rates Will Impact Your Business

After making it through the pandemic, how will the new Health and Social Care Levy (HSCL) affect your bottom line? Many small businesses will feel overwhelmed. But you can take control by understanding the immediate changes and preparing for the future consequences for your business.


The Ultimate Website Design Guide for E-commerce

If you’re looking to improve your e-commerce page and improve sales, you might want to learn the fundamentals of how to design a good website.

Entrepreneur's Bootcamp

Invoice Best Practice for SMBs in the UK

In this article we’ll unpack some best practice tips to help you improve your invoicing and streamline your biz to take the pressure off your cash flow. Take a look.


A Guide for EU Companies Expanding to the UK: What You Need To Know

Things might have changed after the transitional period, but that doesn’t mean expanding to the UK is not possible. In this guide, we will show you some of the things you need to know when you are planning to expand your business to the UK

Running My Business

Should I Close My Company or Make It Dormant?

Choosing between closing your company for good and making it dormant is a huge decision to make. Before taking that step, get to know what the consequences are for each decision. We’re here to help.


Shopify Plans And Prices Analysis: Which Is The Best?

When you start an online business, you will definitely require a platform like Shopify for you to perform basic business operations. This article helps you to see which Shopify plan is best for the stage of the business you’re at.

Entrepreneur's Bootcamp

Tips To Maintain a Compliance Calendar

The repercussions of missing crucial deadlines extend beyond non-compliance and can even include hefty fines, lost revenues and opportunities, as well as decreased productivity.


How Amazon Sellers Can Better Manage Inventory To Improve Sales & Cashflow

Brand owners and sellers of all scales struggle to seek a well-balanced supply chain. Additionally, Amazon has its own inventory management rules, which makes everything even tougher.


10 Best Hosting Providers for E-commerce in 2021

If you are looking to sell online, the right e-commerce hosting provider can make all the difference. However, with a variety of options out there, choosing the best provider can be confusing.


What an Invoice for E-commerce Businesses Needs To Have

For business owners who own and run an online store, you probably already know that invoices must be sent to your customers for the services you provide or the goods you sell, as a form of purchase proof.


How New Company Owners Should Prepare Financial Statements

After you register your company, you may want to start thinking about your company’s finances such as monthly income, expenses and taxes because UK company owners need to submit their company’s annual accounts to Companies House.


What Are the KYC or Know Your Customer Checks In the UK When Opening a Company?

KYC checks are needed for the authorities to combat money laundering and terrorism financing. You might unwittingly partner up with clients who are using their business relationship with your company to launder money or facilitate other nefarious projects.

Tips to run your business smarter. Delivered to you monthly.

You'll receive a verification email you'll have to open and confirm the subscription.

We’re using cookies! What does it mean?