GDPR and Small Businesses: Do You Need a Data Protection Officer?

Most small business owners land in one of two places when this question comes up. Either they’re confident they’re too small to worry about it, or they’ve read three different articles and still aren’t sure what applies to them. Both reactions are completely understandable. The problem is that neither is a reliable guide to what the law actually requires.

The honest answer is: probably not — but the deciding factor isn’t your number of employees, your revenue, or how many years you’ve been in business. The GDPR’s DPO requirement is not about company size or revenue. It is about how and why personal data is processed. That’s the line the law draws, and it sits in a very different place from where most people expect. A five-person telehealth startup processing patients’ medical records may have a legal obligation to appoint one, while a 200-person e-commerce business collecting standard customer data almost certainly does not. So, size alone tells you nothing.

There’s also a myth worth clearing up before going any further. The only part of the GDPR that references 250 employees is Article 30, which concerns record-keeping, and even that exemption has exceptions. The DPO requirement lives in Article 37, and that number doesn’t appear there at all. Countless small businesses have made compliance decisions based on a threshold that was never written into the relevant rule.

This article covers the GDPR DPO requirement in detail, and will tell you which side of the line your business falls on, what triggers the obligation, and — if you don’t need a DPO — what you actually do need to stay compliant.

What a DPO Actually Is and Does

Before you can answer whether you need one, it helps to know what you’d actually be appointing — because the mental image most small business owners have of a DPO is either too vague or too intimidating to be useful.

The most common misconception is that a DPO (Data Protection Officer) is a senior compliance executive: expensive, full-time, legally trained, and firmly out of reach for any business that doesn’t have its own legal department. That picture is wrong on almost every count.

What a DPO actually does

The DPO’s core job, as defined by the European Commission, is to inform and advise the organisation and its employees of their data protection obligations, monitor compliance across the business, provide advice on Data Protection Impact Assessments, act as the contact point for individuals whose data is being processed, and cooperate with supervisory authorities.

In plain terms: the Data Protection Officer is the person whose job it is to watch the gap between what data protection law requires and what the business is actually doing day to day — and to flag it before a regulator does. They sit across marketing, HR, IT, legal, and operations, asking the questions that no single department would naturally ask on its own. When a new product feature involves collecting user location data, the DPO is the person who asks, “Have we assessed the risk of this?” When a customer submits a data access request, the DPO makes sure it is handled correctly and on time. When a breach occurs, they manage the notification process.

The DPO is also an intermediary between the organization and relevant stakeholders — including regulators, customers, and staff — and oversees data privacy policies to ensure they are actually being followed across all parts of the business, not just written down and forgotten.

What a DPO is not

There is a lot of confusion here — and it’s where a lot of bad appointments come from.

A DPO is not the person who makes compliance decisions. Despite performing a monitoring function, the organisation itself remains responsible for complying with data protection law. The DPO advises and oversees — they do not carry the legal liability for violations. If your business processes data unlawfully, the business is accountable, not the DPO. Appointing one does not transfer responsibility; it adds a layer of oversight.

A DPO is also not required to be a lawyer. The GDPR calls for expert knowledge of data protection law and practice, but there is no formal qualification requirement. No official GDPR certificate is mandated, though privacy certifications from bodies like the International Association of Privacy Professionals are widely regarded as strong indicators of competence. Many effective DPOs come from IT, information security, or risk management backgrounds rather than legal ones.

Crucially, a DPO does not have to be a full-time employee. The GDPR explicitly allows organisations to appoint an internal staff member or bring in an external DPO operating under a service contract. For small businesses that genuinely need one, outsourcing the role to a specialist firm is a practical and fully compliant option — and significantly more affordable than hiring a dedicated compliance professional.

The 3 Triggers That Make a DPO Legally Mandatory

Article 37 of the GDPR lays out exactly three situations in which appointing a DPO is not optional. Miss all three, and a DPO is not legally required. Hit any one of them — regardless of your business size — and it is.

Trigger 1: You Are a Public Authority or Body

Every public authority or public body must designate a DPO, with a narrow exception for courts acting in a judicial capacity. This requirement applies regardless of the volume or type of personal information the entity handles. Government departments, local councils, public universities, publicly funded hospitals, and organisations performing statutory public functions all fall under this trigger automatically.

Private businesses — whether limited companies, sole traders, or partnerships — are not public authorities. That means this trigger may not apply.

One caveat, though: some private organisations that carry out public functions under contract — running outsourced public services, for example — can fall into this category depending on the nature of the function and national law. If you operate in that space, it is worth checking specifically.

Trigger 2: Your Core Activities Involve Large-Scale, Regular and Systematic Monitoring of Individuals

This is the trigger that catches small businesses by surprise — and it is the one most frequently misread.

The key phrase is “core activities.” Core activities are the key operations necessary to achieve the controller’s or processor’s goals — not ancillary support functions. However, core activities should not be interpreted as excluding activities where data processing forms an inextricable part of what the organisation does. In other words, if activities such as tracking or monitoring people are central to your product or service — not just a byproduct of it — this trigger may apply.

“Regular and systematic monitoring” covers more than most business owners assume. Regulators interpret “regular” as processing that is ongoing or occurs at defined intervals, and “systematic” as processing that is organised, methodical, and part of a deliberate strategy. Under this definition, activities such as the following squarely qualify: behavioural advertising, customer profiling for retargeting, location tracking via mobile apps, loyalty programmes with detailed behavioural data collection, and monitoring of wellness or fitness data via wearable devices.

This matters for small businesses in a very direct way. A small e-commerce brand running a behavioural ad stack — tracking what users browse, what they abandon in their cart, how they move between devices — and doing this continuously and at scale as a core part of its marketing model is engaged in systematic monitoring. The team being ten people does not change that. A wellness app with tens of thousands of users logging workouts, sleep, and nutrition daily is doing the same. Article 37 is not about company size or revenue. It is about how and why personal data is processed

Trigger 3: Your Core Activities Involve Large-Scale Processing of Special Category or Criminal Data

This trigger is the one that most frequently blindsides small businesses in health, wellness, HR tech, and related sectors — because the data involved sounds ordinary until you understand how the law categorises it.

Under Article 9 of the GDPR, special categories of personal data include information revealing:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership,
  • genetic data,
  • biometric data used to uniquely identify a person,
  • data concerning health, and
  • data concerning a person’s sex life or sexual orientation.
  • Criminal conviction and offence data carry equivalent sensitivity under Article 10.

These categories receive heightened protection because their misuse could result in significant harm, discrimination, or violation of fundamental rights.

For small businesses, this trigger shows up in places that are easy to overlook. A private clinic or therapy practice processing patient records is handling health data. A mental health app where users log their mood, medication, or diagnoses is handling health data. An HR software platform that manages sick leave records, disability accommodations, or occupational health data is handling health data — even if that feels more like administration than medicine. Wearable metrics such as heart rate, sleep patterns, or menstrual cycle tracking in wellness apps also fall squarely into this category, regardless of how the product is marketed.

The same logic applies to businesses using biometric authentication — face recognition, fingerprint scanning — as a core function, or to background check services processing criminal records at scale.

A UK-based wellness app recently discovered it had been processing special category health data for years under the mistaken assumption it was simply tracking “user interests in health topics.” The fix required rebuilding their consent mechanisms, rewriting their privacy policy, and conducting a Data Protection Impact Assessment, which they had not known was mandatory. The regulatory and operational cost of that discovery was entirely avoidable.

What “large-scale processing” actually means

Both Triggers 2 and 3 hinge on the same qualifier: the processing must be at “large scale.” Now, there is some confusion here, given that many businesses – in both directions – make mistakes, either assuming they’re too small to qualify or assuming any significant user base crosses the threshold.

The GDPR does not define what constitutes large-scale processing. This was deliberate. Regulators wanted the assessment to be contextual, not mechanical. Instead of a fixed number, the ICO and other regulators recommend that organisations consider:

  • The number of data subjects being processed,
  • The volume of data being handled,
  • The duration or permanence of the processing activity,
  • and the geographical reach of the processing.

Importantly, you do not need to score highly on all four factors. A combination is sufficient — and the weight of any single factor depends on context.

Regulators have provided examples on both sides of the line. Large-scale processing includes processing customer data in the regular course of business by an insurance company or bank, processing personal data for behavioural advertising by a search engine, and processing content, traffic, and location data by telephone or internet service providers. It does not include processing of patient data by an individual physician, or processing of personal data relating to criminal convictions by an individual lawyer.

The distinction is not about the sensitivity of the data in isolation — it is about the combination of sensitivity, volume, and the systematic nature of the processing. A GP and a hospital both process health data; only one does so at scale. A boutique HR consultancy and an HR SaaS platform both handle employee records; only one does so at the scale that triggers the obligation.

Therefore, for small businesses, the honest self-assessment question is “how many people’s data are we processing, how much of it, how continuously, and how central is that processing to what we actually do?”

With all that said:

If none of these three triggers applies to your business — you are not a public authority, your core activities do not involve large-scale systematic monitoring, and you do not process special category data at scale — then a DPO is not legally required under the GDPR. That is not a loophole or an oversight. It is the regulation working as designed.

What it does not mean is that you have no GDPR obligations. Every business that processes personal data of EU residents has compliance responsibilities. The DPO question is just one of them — and for most small businesses, it turns out to be the one they can put to rest earliest.

What happens if none of the triggers applies to you?

If you have determined none of the triggers applies to you, that’s genuine progress. But that doesn’t mean you shouldn’t do anything. In fact, “not legally required” and “nothing to think about” are two very different conclusions — and conflating them may leave businesses unnecessarily exposed.

The reality is that the GDPR requires someone in your organisation to own data protection, full stop. That obligation exists regardless of whether you need a DPO. The difference between a business with a voluntary DPO and one without is not whether data protection is being managed — it is whether that management is formalised, visible, and actually working. For many small businesses below the threshold, the honest answer is that nobody owns it at all. It lives somewhere between the founder, the IT provider, and whoever set up the privacy policy three years ago and hasn’t looked at it since.

That gap is what regulators find when things go wrong.

When a voluntary appointment genuinely makes sense

There is no one-size-fits-all answer here, but there are specific circumstances where appointing a DPO voluntarily — or at minimum designating a named internal lead for data protection — is the strategically sound move, not just a nice-to-have.

You are scaling seriously into EU markets. A business selling to EU customers at meaningful volume is operating in a jurisdiction where data protection regulators are increasingly active and where enterprise buyers take compliance seriously. Many companies are appointing voluntary DPOs because it makes it easier to align with the GDPR and demonstrate to customers and supervisory authorities that they are taking the matter seriously. As your EU footprint grows, so does your exposure — and having someone already embedded in the compliance function is significantly less costly than retrofitting it under pressure.

Your enterprise clients or partners are starting to ask questions. This is increasingly common and increasingly consequential. Procurement teams at larger organisations now routinely include data protection questionnaires in their vendor due diligence. Questions about your DPO status, data processing agreements, and breach response protocols are no longer reserved for tech companies. If you are selling B2B into regulated industries, such as financial services, healthcare, legal, and education, the absence of a named data protection lead can cost you contracts. A voluntary DPO gives you a concrete, credible answer.

You handle data that is sensitive in practice, even if not technically ‘special category.’ The GDPR’s categories are specific, but sensitivity is not confined to them. Financial data, detailed behavioural profiles, location history, private communications — none of these is “special category” under Article 9, but all of them carry real risk to individuals if mishandled. If your business sits in that space, the spirit of the law points clearly toward formalised oversight, even if the letter doesn’t require it.

You want to get ahead of the problem rather than react to it. Data protection compliance tends to deteriorate quietly. Consent records go unmaintained. Data retention policies get ignored. Third-party agreements expire. A privacy policy written for a product that no longer exists stays on the website for years. If you voluntarily appoint a DPO, the same legal requirements apply as if the appointment were mandatory — which means the role carries real weight and real accountability, not just a job title. For businesses that want to build compliance into the culture before scale forces the issue, that structure is exactly what’s needed.

Why you should have a DPO

Whether or not you appoint a DPO, the GDPR’s accountability principle — Article 5(2) — requires you to be able to demonstrate that your business is complying with data protection law. That is not a passive standard. It means documented policies, maintained records, auditable decisions, and a clear answer to the question “who in this organisation is responsible for data protection?”

If the answer is “nobody specifically,” that is a compliance gap in itself — and one that becomes very visible very quickly in the event of a breach, a regulatory enquiry, or a data subject complaint. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the law. A DPO can help by advising and monitoring compliance — and can play a key role in your data protection governance structure.

Your Practical Options If You Do Appoint

After determining that a DPO is either legally required or the right strategic move for your business, the next question most small business owners face is a practical one: what does this actually look like, and what will it cost?

The default assumption is that it’s either a full-time hire or nothing. That is wrong! In fact, the gap between those two options is exactly where the most practical solution lives.

There are three realistic paths. Here is what each one actually involves.

Option 1: Assign an Existing Employee Internally

The most instinctive move for a small business is to designate someone already on the team. It feels cost-efficient, and on the surface, it is — no additional headcount, no external spend, someone who already knows the business.

The problem is that GDPR imposes a hard constraint on internal appointments that many small businesses walk straight into because of the independence requirement. A DPO cannot be entrusted with tasks or duties which result in them determining the objectives and methods of processing personal data on the part of the controller. Conflicting functions include mainly management positions like the chief executive, chief operating officer, chief financial officer, Head of HR, Head of IT, and managing director, but may also involve other functions if they lead to the determination of purposes and means of processing.

In plain terms, you cannot appoint your marketing manager as DPO for marketing data. You cannot appoint your IT lead as DPO if they also make decisions about what data systems the business uses. You cannot appoint the CEO or any senior leader who determines how data is processed. The French supervisory authority CNIL puts it plainly: the function of the DPO cannot be both judge and jury.

This is not a technicality that regulators overlook. In Poland, Toyota Bank Polska received a €132,000 fine in January 2025 for compromising DPO independence by placing the DPO under the IT security director. In Estonia, Asper Biogene was fined €85,000 — including a specific penalty for a DPO conflict of interest — after appointing a management board member as DPO. In Italy, a public body was fined €6,000 for appointing a DPO who held multiple key positions, with regulators finding he also did not have sufficient time to dedicate to the role.

For small businesses, the internal appointment route is genuinely workable — but it requires an honest assessment of the organisational structure. The DPO needs to be someone without decision-making authority over data processing, who has or can develop sufficient knowledge of data protection law, and who has the time and standing to perform the role independently. In a five or ten-person business where every senior person wears multiple hats, that combination can be difficult to find without creating exactly the conflict the regulation prohibits.

If you go internal, document the appointment clearly, define the role’s scope in writing, ensure the person reports directly to the most senior level of the business on DPO matters, and protect them from any instruction or pressure regarding how they perform the role.

Option 2: A Dedicated External Hire

Bringing in a full-time or part-time data protection professional as a permanent employee resolves the independence problem cleanly — an external hire has no pre-existing decision-making authority over your data. They come with specialist knowledge, can dedicate genuine time to the role, and are positioned to build compliance infrastructure from the ground up.

The trade-off is cost. Internal DPO salaries typically range from £60,000 to £140,000 depending on seniority, sector, and location — and that is before recruitment costs, benefits, and the time required to get someone up to speed on your specific business context. For the vast majority of small businesses, a dedicated hire is difficult to justify unless the volume and sensitivity of data processing genuinely demand it. This option makes the most sense for businesses that have crossed into meaningful scale, are in high-risk sectors like healthcare or fintech, or are approaching the kind of growth where compliance infrastructure needs to be built as a permanent internal function.

Option 3: DPO-as-a-Service

This is the path that makes the most practical sense for small businesses — whether the appointment is legally mandatory or voluntary.

DPO-as-a-Service, sometimes called an outsourced or virtual DPO, means contracting a qualified external professional or specialist firm to fulfil the DPO function on your behalf. The GDPR explicitly allows organisations to appoint an external DPO operating under a service contract, and a group of companies can even share a single DPO, provided that person is easily accessible from each entity.

What you get in practice is a named, qualified DPO who:

  • is registered with the relevant supervisory authority on your behalf,
  • carries professional indemnity insurance,
  • stays current with regulatory developments,
  • handles data subject requests and regulator communications,
  • advises on DPIAs,
  • and is available when issues arise.

All of these without the overhead of employment. In addition, external DPO providers typically have teams with expertise across industries, giving you access to specialists as your business evolves.

On cost, the range is wide because it scales with the complexity of what you actually need. DPO-as-a-Service packages typically start at a few hundred euros per month and go up to a few thousand per month, depending on company size, technical complexity, and the number of legal entities involved. Entry-level packages exist for businesses with relatively straightforward processing activities, while more complex arrangements, such as multi-jurisdiction and high-volume sensitive data, sit at the higher end. Either way, one analysis found that a part-time in-house DPO working 20% of their time costs significantly more annually than a full-time outsourced DPO delivering the same level of service.

Final thought

The GDPR’s DPO requirement comes down to three triggers: you are a public authority, your core business involves monitoring people’s behaviour at scale, or you process special category data at scale. If none of those apply, a DPO is not legally required. If any of them might apply, but you are genuinely unsure whether your activity crosses the large-scale threshold, that uncertainty alone is reason enough to get a qualified data protection opinion before deciding either way. The cost of a proper assessment is far lower than the cost of a wrong call.

What every business owes — DPO or not — is clear, documented accountability for how personal data is handled. Someone needs to own it. Your lawful bases need to be on paper. Your privacy notice needs to reflect what you actually do. Your breach response plan needs to exist before you need it. The businesses that get data protection right are not necessarily the ones that appointed a DPO — they are the ones that decided early on that compliance was someone’s responsibility, gave that person real authority, and treated it as infrastructure rather than an afterthought.

Related Posts

Leave a Comment

Contact Us: Click HERE
X