The Data Protection Officer is one of the most significant governance appointments an organisation can make — yet it is also one of the most commonly misunderstood. Some organisations appoint a DPO simply to tick a compliance box, assigning the title to an existing member of staff without providing the resources, authority or independence the role legally requires. This approach creates a false sense of security while leaving the organisation genuinely exposed.

This guide explains what a DPO is legally required to do, what the independence requirement actually means in practice, and what a properly resourced DPO appointment delivers for your organisation.

The Legal Framework: Articles 37 to 39

The DPO role is defined across three articles of UK GDPR. Article 37 covers when appointment is required. Article 38 sets out the position of the DPO — the independence and resource requirements. Article 39 defines the DPO's tasks. Together, they create a role that is not simply advisory but carries genuine accountability and authority within the organisation.

Understanding all three is essential — because an appointment that satisfies Article 37 (i.e. a DPO has been named) but fails to meet the requirements of Articles 38 and 39 (i.e. they are not independent or not properly resourced) does not constitute compliance. The ICO can and does investigate the substance of DPO appointments, not just their existence.

The Five Core Tasks: Article 39

Article 39 of UK GDPR sets out five specific tasks that every DPO must carry out:

01

Inform and Advise

The DPO must inform and advise the organisation and its employees of their obligations under UK GDPR and other applicable data protection law. This is an ongoing, active responsibility — not a one-time briefing at the point of appointment.

02

Monitor Compliance

The DPO must monitor the organisation's compliance with UK GDPR, including assignment of responsibilities, awareness-raising among staff, training, and compliance audits. This requires genuine oversight authority and access to all processing activities.

03

Advise on DPIAs

Where a Data Protection Impact Assessment is required, the DPO must provide advice on how it should be conducted and monitor its execution. The DPO does not make the final decision on whether to proceed with high-risk processing — but their advice must be properly considered and documented.

04

Cooperate with the ICO

The DPO acts as the primary contact point between the organisation and the Information Commissioner's Office. This includes handling ICO enquiries, investigations and audits, and managing the organisation's registration and any formal correspondence.

05

Act as Contact Point for Data Subjects

Data subjects can contact the DPO directly with queries about how their personal data is being processed and to exercise their rights under UK GDPR. The DPO must be accessible, identifiable and responsive — their contact details should be published in the organisation's privacy notice.

Important

Article 39 sets out the minimum tasks. In practice, an effective DPO does considerably more — including managing data breach responses, overseeing SAR handling, reviewing contracts with data processors, advising on data transfers, and maintaining the organisation's Record of Processing Activities.

The Independence Requirement: What Article 38 Actually Demands

Article 38 of UK GDPR contains some of the most practically significant — and most frequently violated — provisions in the legislation. It requires that:

These are not aspirational principles — they are legal requirements. An organisation that instructs its DPO to overlook a compliance issue, or that removes a DPO who raises uncomfortable findings, is in breach of UK GDPR independently of whatever other compliance failures the DPO may have identified.

The Conflict of Interest Problem: Why Combined Roles Are Risky

Article 38(6) permits the DPO to fulfil other tasks and duties, but states that the organisation must ensure that any such tasks and duties do not result in a conflict of interest. In practice, this is one of the most commonly mishandled aspects of DPO appointments.

A conflict of interest arises where the DPO is also in a position that requires them to determine the purposes or means of processing personal data. The ICO's guidance identifies a number of roles that are typically incompatible with the DPO function:

The fact that these roles are commonly used as DPO appointments is precisely the problem. In many organisations, the Head of IT or HR Director is given the DPO title because they seem the most natural fit — but their operational responsibilities create structural conflicts that undermine the independence Article 38 requires.

ICO enforcement risk

The ICO can investigate whether a DPO appointment meets the independence requirements of Article 38. An appointment that exists on paper but lacks genuine independence does not satisfy the obligation — and the ICO has made clear that cosmetic compliance is not compliance at all.

What Does a DPO Do Day to Day?

Beyond the formal Article 39 tasks, an effective DPO is engaged across a wide range of day-to-day activities that keep the organisation's data protection programme functioning. These include:

Policy Management

Maintaining and updating the organisation's suite of data protection policies — including the privacy notice, data retention policy, data breach response plan, acceptable use policy and any sector-specific policies. Policies that are drafted once and never reviewed quickly become inaccurate and create compliance gaps.

Record of Processing Activities

Under Article 30 of UK GDPR, most organisations must maintain a Record of Processing Activities — a documented register of all the ways in which personal data is processed, including the legal basis, categories of data, data subjects, retention periods and any transfers. The DPO typically owns and maintains this record.

Vendor and Contract Review

When the organisation engages third parties who will process personal data on its behalf — cloud providers, payroll processors, marketing platforms, HR software — the DPO ensures that appropriate Data Processing Agreements are in place that meet the requirements of Article 28 of UK GDPR.

Staff Training and Awareness

Article 39 requires the DPO to raise awareness and provide training to staff. In practice this means designing and delivering (or commissioning) data protection training appropriate to different roles — not simply sending a policy document and asking staff to confirm they have read it.

Incident Response

When a personal data breach occurs, the DPO leads the organisation's response — assessing the breach, deciding whether ICO notification is required, managing the notification if so, overseeing communication to affected individuals, and ensuring the incident is documented in the breach register. A DPO who has never prepared an incident response plan will be creating one under severe time pressure.

SAR Management

Subject Access Requests are one of the most frequent sources of ICO complaints. The DPO provides guidance, templates and oversight for SAR responses — ensuring that requests are handled on time, that exemptions are applied correctly, and that the disclosure pack is complete and defensible.

Get a DPO who actually does all of this

Our outsourced DPO service covers every aspect of the role — from day-to-day compliance monitoring and policy management through to breach response, SAR oversight and ICO registration. Named DPO in place within 48 hours, from £695/month.

Book a Free Consultation →

The Expert Knowledge Requirement: What Qualifies Someone to Be a DPO?

Article 37(5) of UK GDPR requires that the DPO be designated on the basis of professional qualities and expert knowledge of data protection law and practices. There is no prescribed qualification, but the ICO's guidance makes clear that the DPO's knowledge must be commensurate with the complexity of the processing activities and the level of protection required.

For most organisations, this means the DPO should have:

A junior administrator given the DPO title without appropriate expertise, authority or training does not meet this standard — and the organisation carries the compliance risk of that gap.

Frequently Asked Questions

What are the tasks of a DPO under UK GDPR?

Under Article 39, a DPO must: inform and advise the organisation and its staff of their data protection obligations; monitor compliance with UK GDPR; advise on and monitor DPIAs; cooperate with the ICO; and act as contact point for the ICO and data subjects.

Does a DPO have to be independent?

Yes. Article 38 requires that a DPO does not receive instructions regarding their tasks, is not dismissed or penalised for performing their role, and has no conflict of interest. This independence must be genuine — not just stated on paper.

Can a DPO also hold another role in the organisation?

Yes, provided there is no conflict of interest. Roles that require the individual to determine the purposes or means of processing personal data — such as Head of IT, HR Director or CFO — typically create conflicts that make a combined appointment non-compliant.

What qualifications does a DPO need?

UK GDPR does not specify a particular qualification. The DPO must have expert knowledge of data protection law and practices commensurate with the organisation's processing activities. There is no minimum qualification, but the ICO expects the knowledge to be genuine and current.

Does the DPO need to be a lawyer?

No. Many effective DPOs are not lawyers. The role requires deep data protection expertise and practical governance experience — legal training can be an asset but is not a requirement. What matters is the knowledge, independence and resources to do the job properly.