by Ed Owen | Head of programme content, The IDM | April 10, 2018 The role of Data Protection Officer is mentioned in the GDPR text, but do you actually need to employ one? Does it depend on the size of your business? Data Protection Officers (DPOs) are one of the lynchpins of the GDPR. They occupy a unique area inside a business, where the interests of the consumer, the regulator and the business overlap. They also have a degree of protection from business churn, absolved from any kind of sanction that comes from their day-to-day work. But do you need one? The simple answer is, as with much of the GDPR, it depends. Size is not a factor, but larger business will struggle to manage without a DPO. But an organisation has to hire a DPO if they are a public authority, or if core business activities, “require regular and systematic monitoring of data subjects on a large scale” and if they process sensitive personal data such as data relating to a criminal conviction. Today, most marketing involves regular data processing so most companies and agencies that carry out processing will most likely need to hire a DPO. This does leave some grey area – how much data processing is ‘on a large scale’ is the key question here. Guidance will come from the regulator the Information Commissioner’s Office (ICO) in due course which will help those of you who carry out some processing to better decide in the near future. If you are still unsure about how the GDPR will affect you and your business, or you need start practical preparations, check out the IDM's full GDPR training portfolio. Ranging from an entry level basics course to an expert level professional qualification, there is something for everyone no matter which part of the preparation journey you are currently at.