Short answer: A DPO is only legally required in certain cases – but can be a smart choice for many businesses. You must appoint a DPO if your core activities involve systematic and large-scale monitoring of individuals, or if you process sensitive data on a large scale. A DPO advises on data protection risks and helps ensure your organisation complies with GDPR.
What is a DPO?
A DPO, or Data Protection Officer, is responsible for overseeing and ensuring an organisation’s compliance with data protection regulations. According to the EU data regulation (GDPR), it is mandatory for certain organisations to have a DPO. The Data Protection Officer must be able to provide objective advice to the company when it comes to compliance with data regulations.
Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?
Ponemon Institute
Who needs a Data Protection Officer?
Companies must have a DPO if they meet at least one of the following conditions:
- Public authorities and bodies: All public authorities and bodies must have a DPO.
- Processing of personal data on a large scale: If a company carries out processing of personal data in such a way that it requires regular and systematic monitoring of affected persons on a large scale, or if the company processes special categories of personal data (e.g. health data or information about criminal convictions), they must have a DPO.
- Public authority or body processing personal data: Although not all public authorities and bodies need to have a DPO, some of them do, especially if they carry out processing of personal data that requires regular and systematic monitoring.
Although it is only mandatory for certain organisations to have a DPO under the GDPR, other companies may also choose to employ a DPO voluntarily as part of their efforts to protect personal data and comply with data protection rules. It may be good practice for any organisation that processes personal data to a significant extent to have a person responsible for data protection and compliance with privacy rules.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Who should be your responsible for your data?
To ensure independence and the possibility of providing objective advice to the company, it is a good idea to let your Data Protection Officer be an external consultant. In principle, a DPO can be an internal employee, but in that case it is problematic to ensure impartial guidance. However, we often see that it is the senior IT manager or the senior HR manager who disputes the position.
If you decide that you are not obliged to employ a DPO, it is a wise decision to document your considerations. This serves as documentation that you have thoroughly considered the need for a DPO, which can be valuable in the event of a data audit.
Stop the GDPR monster before it gets its hold of your personal data
FAQ about DPOs
1. Do we need to register our DPO?
No, if your organisation has appointed a Data Protection Officer, you can (voluntarily) notify the ICO, but it’s not mandatory. However, it’s recommended to make it easier for the authority to contact the right person during audits.
2. Can an employee hold multiple roles?
Yes – but only if there is no conflict of interest. For example, your Head of IT typically cannot act as DPO.
3. How much does it cost to hire an external DPO?
It varies – but many organisations choose flexible arrangements where the DPO acts as an advisor on an hourly or project basis.
How to make life easier for your Data Protection Officer
Keeping track of the company’s processing of personal data in a proper manner is a comprehensive task. It involves many processors which are time-consuming and resource-intensive; identification of your files with personal data, preparation of policies, follow-up of employee processes, updating of IT systems, etc. By using specific GPDR software, you can help your Data Protection Officer from the heaviest, manual tasks. Our GDPR software solutions are.
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
