data protection officer dpo

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data Protection Officer (DPO).

In this article, you will find answers to questions like who is a DPO, which companies need to appoint one and what are the DPO-s responsibilities.

Data Protection Officer by definition 

The UK’s independent authority gives a great definition of who a DPO is: 

DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.”

Wikipedia goes even deeper and specifies that: 

“The DPO ensures, in an independent manner, that an organization applies the laws protecting individuals’ personal data. The designation, position, and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the EU General Data Protection Regulation (GDPR).”

To put into human language the DPO is a person in your company whose responsibility is to make sure that the company is GDPR compliant. 

Important to know: 

The DPO must have the autonomy and independence to perform his functions. Therefore, it has to be decided whether DPO’s functions can be assigned to an existing employee or to an external specialist.

If the DPO position is appointed to an existing employee, he or she is allowed to keep another position within the company but only to the extent that it does not result in a conflict of interest.

This means that the DPO cannot be involved in deciding which personal data must be processed. Thus, the DPO could not be the director of the company, head of operations,  finance, human resources, marketing, IT or legal departments.

Appointing a DPO 

As described in, there are three conditions when you are obliged to appoint a DPO:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. processing operations require regular and systematic monitoring of data subjects on a large scale;
  3. a large scale of special category data and/or personal data relating to criminal convictions and offenses are being processed.

In order for you to determine whether or not to appoint a DPO, you should assess whether it meets the specified conditions. This assessment could be an integral part of an internal data protection audit. The assessment should be a documented conclusion that could also be made available to the supervisory authority if necessary.

Important to know:

Companies which do not fulfill any of the mentioned conditions are not required to appoint Data Protection Officer.

In other words, a DPO is not required to be appointed if:

  • personal information is not processed at all or is processed on a small scale.
  • the main activities of the company rarely involve monitoring data subjects.

DPO’s role and responsibilities 

Since DPO is taking the role of an intermediary between the company and Data Protection Authority, he/she must be easily accessible for the company’s management, employees, the supervisory authorities and data subjects.

If a single DPO role is appointed for the group of companies, then each subsidiary should have equally easy access to the DPO. Therefore, DPO’s contact details must be mentioned in the Privacy Policy and provided to the authorities.

Data Protection Officer must be involved in all issues related to the protection of personal data. GDPR Article 39 has specified the primary tasks of a DPO. In short, these are the tasks:

  1. to inform and advise the controller or the processor and the employees who carry out the processing of their obligations;
  2. to monitor compliance with GDPR and local data protection provisions.  Also, compliance with the internal policies, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
  3. to provide advice regarding the data protection impact assessment (DPIA) and to monitor its performance pursuant to Article 35;
  4. to cooperate with the supervisory authority;
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, regarding any other matter.

When performing tasks, DPO must be aware of the risk associated with processing operations. Also, DPO must consider the nature, scope, context, and purposes of the processing.

DPO should prioritize and focus on riskier activities. For example, in situations where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organization.

If the company decides not to follow the advice given by the DPO, the reasons must be documented in order to demonstrate accountability.


The GDPR Data Protection Officer is a key figure in the updated data management system. Not only does he/she help to comply with the requirements, but he also acts as an intermediary in the relationship between the company, the supervisory authority and the data subject.

Therefore, the Data Protection Officer must be appointed with careful consideration of all the operations within the company.

However, even though the role and tasks of a DPO are crucial to the company, it is important to know that the DPO is not personally liable for data protection compliance. It remains the company’s responsibility to comply with the GDPR.

If the company decides not to appoint a DPO when it’s required, it might cause non-compliance and the company might face GDPR fines that can go up to 20 mln EUR or 4% of global turnover.

More on this topic: 
Records of processing activities in GDPR Article 30
What are the GDPR fines for non-compliance?

Are you GDPR compliant?

Assess whether you have to comply with the GDPR in the first place and if you do, what is the level of preparedness of the GDPR compliance. Also check out the answers for the frequently asked questions.
Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Compliance Software Tools in 2022 (Review + Pricing)

10 Great GDPR Compliance Software Tools in 2022 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...