A company founder calls because the IT director has put a question on the agenda. Does the business need a data protection officer (DPO), or does it not? They've read three different answers already. A law firm has sent over a page of UK GDPR Article 37 language. A DPO-as-a-Service provider has said yes, obviously, and would be delighted to quote. Someone on LinkedIn is telling them the rules are changing anyway and they can hand the work to a Senior Responsible Individual instead. They'd like a straight answer.
The straight answer is that two separate questions are being stitched together, and it helps to pull them apart. The first is whether the law actually requires a DPO. The second is what a DPO is for, and what it costs to have one properly. Most of the confusion across the market in 2026 comes from treating those as one question. They're not.
Before going further, the SRI point needs closing off because it's one of the most common pieces of misinformation on this topic. The Data (Use and Access) Act 2025 did not replace the DPO role. The Senior Responsible Individual model appeared in the earlier Data Protection and Digital Information Bill, which did not become law. The DUAA made one textual change to Article 37. It inserted 'and tribunals' into the carve-out at Article 37(1)(a), so that tribunals acting in their judicial capacity sit outside the public authority DPO trigger in the same way as courts. The amendment is at Schedule 11, paragraph 11, and was commenced on 20 August 2025 by SI 2025/904, reg 2(y). That's the entirety of it. If anyone has told you the DPO requirement has been softened, rescoped, or replaced, they have been misinformed.
Part one: when the law actually requires a DPO
UK GDPR Article 37(1) has three triggers, any one of which is sufficient on its own.
The first is a public authority or body carrying out processing of personal data. In practice this catches central government departments, local authorities, NHS bodies, police forces, most schools, and a wider group of public facing bodies than many organisations realise.
The second is a private or public body whose core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale. In practice this is where most commercial organisations land, if they land anywhere.
The third is a body whose core activities consist of processing special category data or criminal offence data on a large scale.
The operative terms, 'core activities,' 'large scale,' and 'regular and systematic monitoring,' aren't defined in the regulation. They are defined in the Article 29 Working Party's Guidelines on Data Protection Officers (WP243), adopted in December 2016, revised in April 2017, and endorsed by the European Data Protection Board. The ICO treats WP243 as the interpretive source for Article 37(1), so its tests are what actually determine whether a designation is required.
Core activities are the primary business functions, not the administrative support functions. Running payroll isn't a core activity for a hospital. Processing patient records is. WP243 is explicit that activities 'inextricably linked' to the main service count as core.
Large scale is assessed against four factors: the number of data subjects, the volume and range of data, the duration of the processing, and its geographical extent. There's no numeric threshold. A hospital processing the records of every patient who walks through the door is a large scale processor. A small GP practice, on WP243's own example, normally isn't.
On regular and systematic monitoring, the test is broader than the phrase suggests. It catches any tracking or profiling that is ongoing and methodical, whether or not it is digital. Behavioural advertising, connected devices, loyalty schemes, staff monitoring, CCTV across a portfolio of sites, and most AI driven personalisation meet it.
One clarification worth making because it surfaces often. Article 37(1) applies to processors as well as controllers. A processor running large scale processing of the relevant types must designate its own DPO, separately from whatever its clients have designated.
Where the triggers actually bite, sector by sector
Schools are the sector where the misunderstandings are most consistent. Maintained schools fall under FOIA Schedule 1, Part IV, and are public authorities. Academies, free schools, and multi-academy trusts are on Schedule 1 as well, by virtue of paragraph 52A, inserted by the Academies Act 2010. Both must designate a DPO. Independent schools are not on FOIA Schedule 1 and are not public authorities, so their obligation runs through the other two Article 37(1) triggers. Many will still meet them because of the volume of special category data they process, but the route to the designation is different.
Healthcare is the clearest category outside the public authority limb. NHS trusts and most private healthcare providers process special category health data at a scale that clears WP243's four factors easily.
Financial services is more nuanced. There is no Senior Management Function for DPO under the FCA regime, so the FCA does not prescribe a DPO designation. The UK GDPR tests apply in their own right, and most retail banks, insurers, and consumer lenders hit them through large scale monitoring or special category processing.
Law firms face a specific structural issue. A Compliance Officer for Legal Practice under the SRA regime isn't a permissible combination with DPO unless the firm's risk profile happens to avoid the conflict of interest concerns described below. The assumption that 'we have a COLP so we're fine' will not survive an ICO review.
Charities, recruitment firms running volume background checks, and any business doing systematic behavioural analytics on UK consumers should expect to land inside one of the three triggers and should not rely on sector silence as reassurance.
Part two: what a DPO actually is, and what it costs to have one properly
Assume the designation is required. What are you designating?
Article 39 sets out the statutory tasks: informing and advising the organisation and its employees of their obligations, monitoring compliance with UK GDPR and internal policies, providing advice on Data Protection Impact Assessments (DPIAs), cooperating with the ICO, and acting as the contact point for the ICO. Article 38(4) adds a separate obligation: data subjects must be able to contact the DPO on issues relating to their rights.
Article 38 sets out the position the DPO must occupy. They must be involved, properly and in a timely manner, in all data protection matters. They must have the resources to perform their tasks. They must be independent in the performance of those tasks, report to the highest management level, and not be dismissed or penalised for performing them.
Article 38(6) is the clause that catches most organisations out. A DPO may hold other tasks and duties, but the organisation must ensure those other tasks do not result in a conflict of interest. WP243 footnote 34 names the roles it considers presumptively conflicted: chief executive, chief operating officer, chief financial officer, chief medical officer, head of marketing, head of human resources, and head of IT. The Belgian data protection authority's Decision 18/2020 applied this by fining an organisation €50,000 for designating its director of audit, risk and compliance as DPO, on the ground that the same person could not independently supervise their own compliance. The Court of Justice of the European Union reached a compatible conclusion in Case C-453/21 (X-FAB Dresden).
The cases describe, more precisely than the statute does, what a DPO cannot simply be, and the structural separation the organisation has to engineer around them.
A further compression is now visible across the market. The IAPP's Privacy Governance Report 2024 records that 68% of privacy professionals and 69% of Chief Privacy Officers have taken on AI governance responsibilities, with 55% in functions that have formal AI governance remits. The statutory DPO workload, already full, is increasingly being asked to absorb AI governance expectations on top. A DPO in name only, without the time, independence, or fluency to do the work, is the failure mode regulators now notice.
Four structural positions, not one question
The designation question rarely produces a clean yes or no. What tends to surface instead is one of four structural positions, and choosing the right one is most of the decision.
Statutory DPO. Required under Article 37(1). Full Article 39 scope. Article 38 position architecture. Independence. Reports to highest management. May be internal or under an Article 37(6) service contract. Most mid market organisations with a statutory obligation find the service contract route cheaper and, properly structured, more independent, because the DPO sits outside the management chain by construction.
Voluntary DPO. The organisation isn't required to designate, but chooses to. WP243 is clear that once an organisation uses the title, the full UK GDPR framework applies. The voluntary designation isn't a middle ground. It is the full discipline with no statutory trigger.
Privacy lead without DPO title. Appropriate for organisations outside all three Article 37(1) triggers that still need senior privacy capability. The individual has responsibility, but the organisation is careful not to use the DPO title externally, on the website, or on registration forms. This is the correct structure for many mid market businesses and is the one most commonly mislabelled.
Shadow DPO. The arrangement I see most often when a board has been through the compression of the last two years. A senior manager, often the head of IT or the head of HR, has taken on 'privacy' as part of their role, without the title, without Article 38 independence, and without the time. The organisation has, in effect, built a structure that fails two legs of Article 38 while still carrying the processing risk the designation was meant to address. It is a well intentioned arrangement that tends to hold until the day the ICO asks who the DPO is.
The DPO-as-a-Service market exists partly to unwind those arrangements cleanly. Penby operates in this space alongside a number of UK providers, The DPO Centre, Securys, Evalian, Data Protection People, DPAS, GRCI Law, Trust Keith, Aphaia, Mishcon DPO, and PrivacySolved among others. The right choice between them depends on sector fit, assurance requirements, and how the Article 38 position will be constructed in practice.
The analogy I come back to when a board is weighing these options is that a DPO designation is closer to appointing an external auditor than to hiring a compliance manager. The role is defined by its independence from the operational chain, not by where the person sits in the organisation chart. Once that frame lands, the structural choice tends to clarify quickly.
Where UK enforcement actually concentrates
The UK enforcement pattern on DPOs is not really about organisations that failed to designate one. It is about organisations whose DPO could not do the job.
The ICO's November 2022 reprimand of the Department for Education concerned its Learning Records Service database, which had been used by a third party screening firm for age verification on online gambling accounts. The ICO concluded that the department's structure had left its DPO 'functionally unable to comply with Articles 37, 38 and 39' of UK GDPR. A DPO had been designated. The structural conditions around the role hadn't.
Chelmer Valley High School received a reprimand in July 2024 for using a facial recognition system in its canteen without a compliant DPIA or lawful basis. The public notice describes the DPIA failure. Behind the DPIA failure, on the pattern the ICO keeps flagging, was a DPO function that was not in a position to do the Article 39 work at the point it needed doing.
The Cabinet Office programmatic real-time bidding reprimand, publicly disclosed in 2022, followed a similar pattern: DPO advice recorded in the DPIA, processing continuing. The ICO did not frame its finding under Article 38, but the shape is familiar.
The ICO's multi-academy trust audit, covering 11 trusts and 325 schools, found designated DPOs in place but recorded widespread weaknesses in training, records of processing, data protection impact assessments, and data sharing arrangements. The failure, again, sat in the support around the DPO rather than in the absence of one. The pattern is consistent enough to be read as guidance about where the regulator is looking.
The shape of the real decision
The harder half of the decision is structural. Whether a DPO must be designated is normally the easier part. What it takes to make the designation real, the Article 38 architecture, the Article 39 tasks, the independence, the time, the AI governance load now sitting on top of the data protection load, is what determines whether the organisation is actually protected.
A voluntary DPO is not a privacy lead. A privacy lead is not a shadow DPO. And a shadow DPO is, in the regulator's eyes, usually a designated DPO who cannot perform the role.
Which is closer to what the founder and IT director actually needed to decide, underneath the three contradictory answers already on the table. Not whether to have a DPO, but whether it can stand up the role in a way Article 38 would recognise.
