Skip to Content Skip to Navigation

A common question about GDPR compliance is whether a Data Protection Officer (DPO) is required for all businesses. A DPO is an independent expert who is hired to oversee an organisation’s compliance with data protection and privacy laws.

While it’s widely assumed that only large companies need to hire a DPO, it really depends on what an organisation’s core data processing activities are, i.e. the types of data they collect and how they use it. Let’s look at the roles and responsibilities of a DPO, and the criteria under which hiring one is mandatory.

What does a Data Protection Officer do?

A DPO is employed to provide expert advice on and implement a strategy to meet an organisation’s data protection and privacy obligations. They should be well-versed in areas such as privacy law, cybersecurity, and risk management.

If hired internally, the organisation must choose an employee who isn’t subject to a conflict of interest. For example, a company’s Chief IT Officer cannot also be their DPO.

A DPO is involved in all issues related to the protection of personal data and reports to the highest management level of their organisation.To this end, the DPO must be given the authority to access information about and investigate an organisation’s data processing activities.

According to the GDPR, a DPO’s key responsibilities include:

  • Informing and advising the organisation and its employees about their data protection and privacy obligations.
    The DPO must explain to management and employee teams (such as marketing and IT) how they can collectively achieve GDPR compliance.
  • Monitoring compliance.
    The DPO must ensure that the organisation is complying with the GDPR and their own policies around data protection, possibly performing tasks such as preparing Data Protection Impact Assessments (DPIA) ; educating and training employees on data protection and privacy; keeping records on the organisation’s data processing activities; and reporting on an organisation’s failure to meet their compliance obligations.
  • Assisting data subjects in exercising their data rights.
    The DPO should respond to the complaints, enquiries, and requests made by data subjects (the people whose personal data is being collected by the organisation) regarding their personal data.
  • Working with data supervisory authorities.
    The DPO must act as the contact point between their organisation and the relevant supervisory authority regarding any issues around data processing.

While a DPO has a diverse and wide-ranging set of roles and responsibilities, they are not personally responsible for GDPR compliance. Rather, the organisation will need to demonstrate compliance by equipping their DPO with adequate resources and support to carry out their responsibilities.

The GDPR also makes special note that the DPO should not be penalised for or obstructed from doing their job.

Is a Data Protection Officer compulsory for all businesses?

No, not all businesses need to hire a DPO in order to comply with the GDPR. According to Article 37 of the GDPR, there are three instances in which a data controller must appoint a DPO:

  1. The organisation conducts regular and systematic data processing activities on a large scale.
  2. The organisation processes sensitive or crime-related data on a large scale.
  3. The organisation is a public authority, such as a government department or educational institution (excepting courts who “are acting in their judicial capacity”).

If an organisation is required to elect a DPO, this must be disclosed in their privacy policy alongside some contact details through which data subjects and supervisory authorities can contact the DPO.

While a DPO can spearhead GDPR compliance initiatives, getting compliant isn’t a one-person job: it requires a coordinated effort that must be supported by all sides of an organisation.

Get GDPR-ready with our privacy policy templates

Create your custom GDPR privacy policy and Terms of Service with Create your privacy policy now.