Book a free 30 minute consultation

Do You Need To Appoint a DPO?

Do small businesses need to appoint a Data Protection Officer (DPO)?

Why would you want to? The Data Protection Act 2018 (which contains the GDPR in the UK), notes only three conditions under which such an appointment is mandatory:

1. If the processing is carried out by a public body.

2. If the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.

3. If the core activities of the controller or processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions or offence.

(Article 37 of the GDPR) Which makes it fairly clear to the owners and managers of “small” businesses in the UK.

According to Article 37 of the regulation, you don’t need a DPO.

Yet there is a rather large “but” lurking round the corner of this answer. It is this: You don’t need a DPO but you do need DPO skills.

Who IS The DPO?

You need to deploy those new DPO skills in a way which precludes a conflict of interest.  

Many small business owners felt the need to appoint themselves as the DPO for their business during that helter-skelter run-up to the implementation of the Data Protection Act 2018 (DPA18).

You can see their names published on the long-forgotten privacy policy pages of their websites.

Which means the person in charge of the organisation has the responsibilities of a data controller (determining the purposes and means of processing personal data) and at the same time the obligation to uphold the rights and freedoms of the data subjects involved.

If you own or run the organisation, you can’t do both.

That’s a conflict of interest right there.

When something goes wrong and the time comes to demonstrate your accountability, either the regulator or a Court of law are going to notice.

Avoiding conflicts of interest

Which means that before you ever recognise where those DPO skills are going to be deployed, you need to be able to recognise the separation that should exist. 

Separation between what you do as a business and how you manage privacy and data protection.  How you protect the benefits of both you (the business) and your data subjects (the personal data you process).

In the context of most organisations, “data subjects” are usually customers and employees. The people who buy your products or services and the people involved in making and delivering those products and services.

So what DPO skills do you need?

There are four specific parts of the DPA18 and one more general aspect you need to know about.

1. Privacy By Design

2. Record Keeping

3. Security of Processing

4. Data Protection Impact Assessments

5. The Need To Improve Your Data Privacy & Protection Efforts


Privacy By Design And Default

The regulation places responsibility for implementing “appropriate technical and organisational” measures on the shoulders of the data controller “both at the time of determination of the means of processing and at the time of the processing itself”. Which means as you plan your latest product or service and as it becomes available, the protection of personal data is proven to be your default position. (Article 25)

Record Keeping

DPA18 requires a data controller to maintain records of processing activities for which it is responsible.

The content of the record is not onerous, it just requires some careful consideration of whatever it is you actually do in terms of processing personal data.

Whilst Article 30 contains an exemption for organisations employing fewer than 250 people, for this exemption to be valid it notes that processing should only be “occasional”.

For most small businesses, processing of personal data is likely to be a regular occurrence, so there will need to be records of processing. In more practical terms it is only possible to apply the remaining requirements of the regulation if you have a clear understanding of what it is you actually do.

So even if you can decide you don’t need to maintain a record of processing, it’s probably still a good idea to do it.  And GDPRworkflow is the perfect place to manage this process.

Security of Processing

Both data controllers and data processors are responsible for deploying “appropriate technical and organisational measures”. The text of this part of the DPA18 is quite short but it covers every aspect of your processing of personal data. Good DPO skills can help you to interpret what is required and appropriate in the context of your own organisation. (Article 32)

Data Protection Impact Assessments

The “DPIA” for short. I have seen these written on a single side of A4 and I have seen at least one run to a perplexing but thankfully rare 140 pages. What is appropriate for your organisation depends very much on what you do. However there is no small business exemption for Article 35.

The Need To Improve Your Data Privacy & Protection Efforts

  • Finding a lawful basis for processing;
  • Obtaining informed consent;
  • Managing consent;
  • Providing transparency about how you use personal data;
  • Vendor/processor management and risk assessment;
  • Controller/Processor agreements;
  • Employee awareness;
  • Processing data subject access requests (DSARs);
  • Managing data incidents and breaches;
  • Demonstrating accountability;
  • Liaising with the Information Commissioners Office.


These are all pieces of work which are best carried out by, or under the guidance of, a trained expert. Perhaps you don’t need a DPO, but as a small business how do you plan to keep up with all these tasks?

It's a challenge, but can I suggest GDPRworkflow as option to help you manage these tasks?  And if you need extra help, a friendly DPO is standing by to help you out. 


Thanks to our friendly DPO, Allan Simpson for providing this excellent guest post.