Data Protection Officer

The role of 'DPO' came in with the General Data Protection Regulation (GDPR).

A DPO is someone an organisation must appoint IF

  • it is a public authority
  • has core activities that require regular and systematic monitoring of individuals on a large scale? For example, tracking and monitoring individuals' behaviour, such as on the internet or on CCTV
  • has core activities that involve processing on a large scale 'special categories'* of personal data, 'criminal convictions or offences data'
    * 'Special categories' means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
  • it processes genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data about a person's sex life or sexual orientation

It can also be advisable to have someone in the role of DPO if it would significantly improve or better manage your organisation's Information Governance and Cyber Security.

What is a DPO?


  • reports directly to the highest level of management and is given the required independence to perform their tasks
  • is involved, in a timely manner, in all issues relating to the protection of personal data
  • is sufficiently well resourced to be able to perform their tasks
  • is not penalised for performing their duties
  • is careful that other tasks or duties undertaken do not result in a conflict of interests with the role of DPO

What does a DPO do?


  • monitors compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits.
  • provides advice and the information on data protection obligations
  • Provides advice and guidance on Data Protection Impact Assessments (DPIAs)
  • monitors the DPIA process
  • acts as a contact point for, and can consult with, the ICO
  • helps assess the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing
  • is easily accessible as a point of contact for our employees, individuals and the ICO

A DPO's contact details are published and communicated to the ICO

How can we help?

The role of DPO can be undertaken externally, based on a service contract with an individual or an organisation.

Exigia acts as DPO for organisations that do not have the capacity to appoint someone internally and takes on the same position, tasks and duties as an internally-appointed one.

Button with the legend 'contact us'

or call 0843 886 0505