Does a company need a DPO under UK law?

What the Law Says

The requirement for a Data Protection Officer (DPO) in the UK is set out in the UK General Data Protection Regulation (UK GDPR), which continues to apply post-Brexit as domestic law.

Under UK GDPR, appointing a DPO is mandatory only in three specific situations: (1) if the organisation is a public authority or body (except courts acting in their judicial capacity); (2) if its core activities involve regular and systematic monitoring of individuals on a large scale; or (3) if its core activities consist of large-scale processing of special category data (e.g., health, ethnicity, religion) or personal data relating to criminal convictions and offences.

The UK GDPR does not define 'large scale' precisely, but the UK Information Commissioner's Office (ICO) provides guidance — factors include the number of individuals affected, volume and range of data, duration of processing, and geographical extent.

Even if not legally required, organisations may appoint a DPO voluntarily. In such cases, the DPO’s tasks and position must still comply with UK GDPR requirements.

Statutory Text

The controller or processor shall designate a data protection officer if: (a) the processing is carried out by a public authority or body; (b) the core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or processor consist of processing on a large scale of special categories of data... or personal data relating to criminal convictions and offences.

— UK GDPR, Art. 37(1) — Designation of the data protection officer

Sources