At a glance
If you’re a new business owner looking into your obligations under GDPR, you probably saw the term Data Protection Officer and started sweating. It sounds formal and important and expensive. But worry not. Take a deep breath, look in the mirror. You see that person looking back at you? That’s your Data Protection Officer.
The short answer is that a dedicated Data Protection Officer is only mandatory in a few quite specific situations and, if you’re reading this, you’re probably not in one of those situations. Most small and medium-sized websites don’t need one. But some businesses appoint one voluntarily, and that can make sense too.
The slightly longer answer: it depends on what you do. Let’s go through the rules clearly – and help you work out which side of the line you’re on.
When a DPO is mandatory
GDPR Article 371 requires you to appoint a DPO in three specific situations:
- You are a public authority or body: government departments, councils, regulators, courts. Not charities or companies that do public-sector work under contract – just public authorities themselves.
- Your core activities require large-scale, systematic monitoring of individuals: think fraud detection networks, CCTV surveillance providers, ad tech companies tracking behaviour across the web, ISPs monitoring traffic.
- Your core activities consist of large-scale processing of special category data or criminal conviction data: health data, biometric data, data about religion, ethnicity, sexuality, trade union membership, or criminal records at scale.
Two phrases do a lot of work here: “core activities” and “large-scale.”
Core activities means the primary business purpose – not peripheral admin. A hospital’s core activity involves processing health data. An accountancy firm that processes employee health data for its payroll system doesn’t – that’s a supporting activity.
Large-scale is not defined precisely in GDPR, but data protection authorities consider factors like: the number of individuals involved, the volume and range of data, the duration of processing, and the geographic extent. Processing a few thousand customers’ data as part of normal business operations generally doesn’t qualify as large-scale.
When you don’t need a DPO
Most small and medium-sized websites and businesses do not need a mandatory DPO.
Running Google Analytics on your website and having a contact form, even if thousands of people are filling it in every month, doesn’t make you a “large-scale systematic monitor.” Having an email marketing list of 100,000 people doesn’t make you a “large-scale processor.” The scale and nature of what you do matters.
If you’re a small business, a startup, or a typical website owner, you almost certainly don’t need a mandatory DPO. You do need the other things: a privacy policy, a consent banner, DPAs with vendors, and a way to handle user rights requests.
What a DPO actually does
For organisations that do need one, the DPO has a defined set of responsibilities under GDPR Article 39:
- Informing and advising the organisation and its staff on their GDPR obligations
- Monitoring compliance with GDPR and internal privacy policies
- Advising on Data Protection Impact Assessments (DPIAs) for high-risk processing
- Cooperating with the supervisory authority (the regulator) and acting as the point of contact
- Handling inquiries from data subjects about how their data is processed
The DPO must be independent – they can’t be instructed to take a particular position on a compliance question, and they can’t be dismissed for doing their job. This is why placing a DPO role inside a legal or IT team without proper independence creates structural problems.
Watch out
If you are considering appointing someone as a DPO voluntarily to show you take privacy seriously, that appointment has legal weight. You can’t appoint a DPO and then override their advice, fire them for raising concerns, or appoint someone who has a conflict of interest (like a senior manager whose job it is to maximise data use). A nominal or checkbox DPO creates more risk than not having one.
Should you appoint one voluntarily?
Some organisations that don’t meet the mandatory threshold still appoint a DPO voluntarily – and there are real reasons to consider it:
- You process sensitive data (health records, financial information) even if not at “large scale”.
- Privacy is part of your product proposition – you want a credible, independent voice on privacy questions.
- You operate in highly regulated markets (fintech, healthcare, edtech) where privacy scrutiny is high.
- Your legal or compliance team has no privacy expertise and is unlikely to get it.
- You want to build trust with enterprise customers who expect evidence of privacy governance.
If you do appoint one voluntarily, the same independence requirements apply. You get the benefits – but you also take on the responsibilities.
If you don’t have a DPO
No DPO doesn’t mean no privacy oversight. For businesses that don’t need or want one, the alternative is designating an internal responsibility for privacy: someone who owns the privacy policy, handles rights requests, reviews new tools before deployment, and keeps the data inventory up to date.
It doesn’t need to be a full-time job for most small businesses – but someone needs to own it.