Data protection laws provide that certain organisations must appoint a data protection officer (DPO). Every organisation should have a data protection lead/manager, whether or not they require a DPO.

The organisations which require a DPO are:

  • All public authorities or public bodies, defined as those caught by freedom of information legislation
  • Organisations whose core activities consist of processing ‘special categories’ of data (such as health data, trade union membership, political affiliation, biometric and genetic data etc) or data relating to criminal convictions or offences on a large scale. Law firms may fall into this category depending on the work that they do.
  • If the core activities of the organisation require regular and systematic monitoring of data subjects on a large scale. Law firms would be unlikely to fall into this category.

‘Core activity’ means one that is inextricably part of the function of the organisation and not a support activity, including activities where the processing of data forms an inextricable part of the controller’s or processor’s activity.

‘Large scale’ means number/proportion/volume and/or different types of personal data, including the geographical extent of the processing activity.

Sole practitioners are not required to appoint a Data Protection Officer.

The second category may apply to some law firms. For instance, a criminal defence firm, or a personal injury firm, which cannot provide legal services without processing special category data and so would appear to fall into the ‘core activities’ category. However, that may depend on the extent to which these areas of practice are the core activities of your firm.

It is difficult to determine what will be considered ‘large-scale’ processing. Guidance from the EU states that organisations should consider the following:

  • The number of data subjects concerned;
  • The volume of data;
  • The range of different type of data being processed;
  • The duration, or permanence, of the data processing activity; and
  • The geographical extent of the processing activity.

The Guidance provides examples of large-scale processing:

  • Patient data in the regular course of business by a hospital
  • Travel data of individuals using a city’s public transport system (eg tracking via travel cards)
  • Real-time, geo-location data of customers of an international, fast-food chain for statistical purposes by a processor specialised in providing these services
  • Customer data in the regular course of business by an insurance company or a bank
  • Personal data for behavioural advertising by a search engine
  • Data (content, traffic, location) by telephone or internet service providers


Examples that do not constitute large-scale processing include:

  • Patient data by an individual physician
  • Personal data relating to criminal convictions and offences by an individual solicitor

Whatever you decide for your firm, if you decide not to appoint a DPO, document your reasoning.

A DPO does not have to be an internal appointment – it can be an outsourced or shared service. Crucially the DPO’s role it to monitor and advise on compliance and not to make decisions about the processing data as that would conflict with the role. Therefore, it can be challenging to identify someone who can be independent of processing decisions to fill this role, depending on the size of your firm.

Data protection lead/manager

Even if you do not appoint a DPO, you should nominate someone to take the lead in relation to this area and to be the point of contact for staff, clients and others. The restrictions in relation to who this person can be do not apply if they are not fulfilling the statutory role envisaged by the UK GDPR.