Why understanding your legal requirement matters.
At Hope & May, we work with charities and not-for-profits that are deeply committed to making a difference – but often uncertain about their legal responsibilities under UK GDPR. One key question we help many organisations answer is:
“Are we legally required to appoint a Data Protection Officer (DPO)?”
According to official guidance from the Information Commissioner’s Office (ICO) – if your organisation engages in certain types of data processing activities, you are required to appoint a DPO. This isn’t just a recommendation – it’s a legal requirement.
When is a DPO mandatory for charities?
The ICO states that organisations must appoint a DPO if any of the following apply:
- Your core activities involve large-scale processing of special category data, or,
- Your core activities require regular and systematic monitoring of individuals on a large scale.
Charities may often fall into one or both of the above categories.
Examples that require a DPO appointment:
You would also be required to appoint a DPO if your organisation carries out activities such as:
- Tracking behaviour on your website or through digital fundraising tools
- Operating CCTV or surveillance systems at scale
- Maintaining large databases of service users, volunteers, or donors
- Collecting and storing special category data (such as health, ethnicity, or religious beliefs)
- Running long-term support, casework, or programme monitoring involving personal data
- Processing personal data across multiple locations or at high volume
If you answered “yes” to any of these, the ICO response is as follows:
“Your organisation will need to appoint a data protection officer.”
Based on the answers given you probably need to appoint a data protection officer (DPO).
The full guidance is available on the ICO’s website, but for most charities, the message is simple: a DPO may not be optional, and should be appointed for good governance in the organisation.
Why it matters
Having a qualified DPO in place helps your organisation:
- Stay legally compliant and avoid regulatory fines
- Protect sensitive data relating to supporters, beneficiaries, and staff
- Manage risks with confidence
- Respond effectively to Subject Access Requests and potential data breaches
- Demonstrate accountability and good governance to funders, partners, and the public
Hope & May: DPO services built for the charity sector
We specialise in outsourced DPO services for charities, foundations, and community organisations across the UK. Our tailored support means you get:
- A named expert acting as your official DPO
- Ongoing guidance and hands-on support
- Policy reviews, risk assessments, and compliance checks
- Staff training and process improvement
- Peace of mind knowing you’re fulfilling your legal obligations
Need help determining your status?
If you’re unsure whether your organisation’s activities meet the threshold, or you’re ready to appoint a DPO but don’t know where to start – we’re here to support you.
Contact the team at Hope & May today for expert guidance at info@hopeandmay.com
