Do I need a Data Protection Officer (DPO) for GDPR?


The size and scale of your organisation tends to dictate if a DPO is required.A DPO is responsible for processing personal data on behalf of the Data Controller.  A Data Controller determines the purposes, conditions and means of processing of personal data.

 As a guide a DPO should only be appointed if the core activities of the organisations Data Controller consist of activities that fall into one of the below categories:

  1. Processing operations which require large-scale, regular and systematic monitoring of data subjects, i.e. Banks, Insurance Companies, Law Firms;
  1. If you are a public authority or carry out large-scale processing of special categories of personal data: those revealing racial/ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership, and the processing of genetic and biometric data to uniquely identify an individual; data concerning health or sex life and sexual orientation (this can only be processed under strict conditions such as where consent has been given), or data relating to criminal convictions or offences.

If your organisation does not fall into one of the above categories you do not need to appoint a DPO. For more details see Article 37 of the GDPR


For further practical advice to help prepare for GDPR see the Whitepapers in our Resource Centre by signing up to Gravicus Osprey, where you can also gain access to data management tools.


Telephone: 0203 858 0636

Email:  info@



Data management doesn’t have to be complicated