UK GDPR Article 37 makes appointing a Data Protection Officer mandatory in defined circumstances. This guide explains the legal threshold, the practical trade-offs between internal and external (outsourced) DPOs, and which approach fits different organisation sizes.
An internal DPO is your employee. An external DPO is contracted, typically from a privacy or law firm. Both satisfy Article 37 if appointed with the required independence and expertise.
External (outsourced) DPO is usually the right answer for SMEs, scale-ups, and any organisation where data protection is a significant compliance burden but not a full-time role. Internal DPO makes sense at scale, typically 250+ employees with significant ongoing processing activities, or where in-house counsel is already substantial.
| Dimension | Internal DPO | External (Outsourced) DPO |
|---|---|---|
| Employment relationship | Your employee, on payroll | Contracted service provider |
| Cost (annual) | £70-120k+ fully loaded for a competent appointment | £18-48k typical retainer depending on scope |
| Independence (Article 38) | Requires reporting line to highest management, conflict-of-interest safeguards | Independence is inherent to the contracted relationship |
| Expertise depth | One person, depth limited by their experience | Access to a team with broader experience across sectors and ICO engagements |
| Availability | Office hours, holiday cover required | Usually contractual SLA, dedicated cover |
| Best for | Large enterprises, multi-jurisdiction, 250+ employees | SMEs, scale-ups, growing organisations, regulated sectors |
| Statutory obligations met | Yes (if appointed correctly) | Yes (if appointed correctly) |
| Breach response capability | Single point of failure | Team coverage, faster activation |
UK GDPR Article 37 mandates DPO appointment when: (a) the processing is carried out by a public authority, (b) core activities require regular and systematic monitoring of data subjects on a large scale, or (c) core activities consist of large-scale processing of special-category data or criminal-offence data.
In practice, organisations meeting condition (b) or (c) include online platforms tracking user behaviour, healthcare providers, insurance companies, financial services firms, telecommunications providers, and many SaaS companies handling sensitive customer data.
Voluntary DPO appointment is also valid and increasingly common. Many organisations appoint a DPO not because Article 37 mandates it, but because customer security questionnaires, B2B procurement, and ISO 27001 / 27701 readiness benefit from a named privacy lead.
Article 37 is about appointment, not job title. You can satisfy the requirement with an external DPO. You cannot satisfy it with an employee who lacks independence, has conflicts of interest (such as your CIO or General Counsel doubling up), or lacks specialist privacy expertise.
You have between 20 and 1,000 employees with meaningful personal data processing.
You are in a regulated sector (healthcare, fintech, edtech) where data protection is a continuous concern but not your core competency.
Your in-house counsel is generalist or limited, and pulling them into ICO correspondence is inefficient.
You face periodic spikes in privacy work (DPIA cycles, customer questionnaire responses, breach response) and need access to specialist capacity rather than building it in-house.
You want the independence safeguards of Article 38 without engineering them around an internal employee.
You are an enterprise or regulated organisation with 1,000+ employees and significant ongoing processing.
Data protection work is large and complex enough to justify a full-time role with no idle capacity.
You operate across multiple jurisdictions with overlapping privacy regulations that require deep, internal contextual knowledge.
You have an established legal and compliance function with the scale and seniority to absorb the DPO role without conflict.
RedSecLabs delivers outsourced statutory DPO services for UK and EU organisations. We act as your formal Article 37 DPO, registered with the ICO, with the independence safeguards Article 38 requires.
Our retainer covers ongoing privacy advisory, DPIA execution, SAR handling, ICO-facing engagement, breach notification support, and continuous Article 30 records of processing maintenance. Cover, escalation, and a named lead DPO are contractual rather than dependent on one employee.
Yes, if Article 37 thresholds do not apply. Many small organisations do not require a DPO. They still need to comply with UK GDPR generally, but no formal appointment is required.
Almost always. An experienced internal DPO is fully-loaded around £80-120k+ annually. External DPO retainers typically start around £18k for SMEs and scale by processing complexity. For most organisations, external is significantly cheaper.
Usually not. Article 38 prohibits conflicts of interest. A General Counsel often has conflicting interests, and a CIO almost always does (they determine processing means, which is the activity the DPO is meant to oversee). The ICO has been clear on this.
Typically within 5-10 working days. We register with the ICO, complete induction with your team, review existing privacy documentation, and identify the first 90 days of priority work.
A 30-minute scoping call covers your specific context and lets us recommend the right approach. We will tell you honestly if our service is not the right fit.
Book a scoping callRelated: DPO Services →