Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR
  6. xData protection officers

xData protection officers

The GDPR provides that certain organisations must appoint a data protection officer (DPO). Every organisation should have a data protection lead, whether or not they require a DPO.

The organisations which require a DPO are:

  • All public authorities or public bodies, defined as those caught by freedom of information legislation – this includes all doctor and dental practices, colleges and universities but not currently housing associations, although this may change
  • Those whose core activities consist of processing ‘special categories’ of data (comparable to sensitive data, such as health data, trade union membership, political affiliation, biometric and genetic data etc) or data relating to criminal convictions or offences on a large scale – law firms and private health care organisations may fall into this category as well as certain housing association that provide care services
  • If the core activities of the organisation require regular and systematic monitoring of data subjects on a large scale – this includes organisations operating a telecommunications network; profiling and scoring for purposes of risk assessment (eg for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money laundering); location tracking, for example, by mobile apps; loyalty programmes; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices, eg smart meters, smart cars, home automation, etc

‘Core activity’ – one that is inextricably part of the function of the organisation and not a support activity, including activities where the processing of data forms an inextricable part of the controller’s or processor’s activity.

‘Large scale’ – number/proportion/volume and/or different types of personal data, including the geographical extent of the processing activity.

Sole practitioners are not required to appoint a data protection officer.

The second category may apply to some law firms. For instance, a criminal defence firm, or a personal injury firm, cannot provide legal services without processing special category data and so would appear to fall into the ‘core activities’ category. However, that may depend on the extent to which these areas of practice are the core activities of your firm.

It is difficult to determine what will be considered ‘large-scale’ processing. The guidance from the EU states that organisations should consider the following:

  • The number of data subjects concerned, either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

The guidance provides examples of large-scale processing:

  • Patient data in the regular course of business by a hospital
  • Travel data of individuals using a city’s public transport system (eg tracking via travel cards)
  • Real-time, geo-location data of customers of an international, fast-food chain for statistical purposes by a processor specialised in providing these services
  • Customer data in the regular course of business by an insurance company or a bank
  • Personal data for behavioural advertising by a search engine
  • Data (content, traffic, location) by telephone or internet service providers

Examples that do not constitute large-scale processing include:

  • Patient data by an individual physician
  • Personal data relating to criminal convictions and offences by an individual solicitor

Whatever you decide for your firm, if you decide not to appoint a DPO, document your reasoning.

A DPO does not have to be an internal appointment – it can be an outsourced or shared service. Crucially, the DPO’s role is to monitor and advise on compliance and not to make decisions about the processing of data as that would conflict with the role. Therefore, it can be very difficult to identify someone who can be independent of processing decisions to fill this role.

Data protection lead

Even if you do not appoint a DPO, you should nominate someone to take the lead in relation to this area and to be the point of contact for staff, clients and others. The restrictions in relation to who this person can be do not apply if they are not fulfilling the statutory role envisaged by the GDPR.

For more information about the role of the DPO, go to www.ico.org.uk.

Case study

Our high street firm does process some special category data, but it is not the core part of the business nor is it doing so on a large scale. On that basis, our firm will not appoint a data protection officer. It has identified someone in the firm who is the lead for data protection and it has made a record of its decision.

GDPR guide for law firms

Data protection regulations from the perspective of a legal practice

  • Ten steps
  • Law firms as data controllers
  • Create a record of data processing
  • Marketing
  • Client confidentiality, legal privilege and limited exemptions
  • Sharing data with third parties
  • Data retention
  • Data protection officers
  • AML and data protection
  • Security
  • Reporting personal data breaches
  • Requests for copies of personal data
  • Appendix 1 - Consent
  • xCreate a record of data processing
  • Appendix 2 - Example of a data protection policy
  • Example of Privacy Notice
  • xClient confidentiality, legal privilege and limited exemptions
  • xData retention
  • xSharing data with third parties
  • xData protection officers
  • xSecurity
  • xReporting personal data breaches
  • xRequests for client personal data
  • Appendix 1 - Consent
  • Appendix 2 - Example of a data protection policy
Read more about GDPR guide for law firms
Add To Favorites

Additional

  • Guide to GDPR

In this section

  • xData protection officers
  • Ten steps
  • Law firms as data controllers
  • Create a record of data processing
  • Marketing
  • Client confidentiality, legal privilege and limited exemptions
  • Sharing data with third parties
  • Data retention
  • Data protection officers
  • AML and data protection
  • Security
  • Reporting personal data breaches
  • Requests for copies of personal data
  • Appendix 1 - Consent
  • Appendix 2 - Example of a data protection policy
  • Example of Privacy Notice
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited