Do I need a Data Protection Officer (DPO) for GDPR compliance, and is it possible to outsource a Data Protection Officer?

Outsourced Data Protection Officer Illustration with two human characters

    Need world class privacy tools?

    Schedule a Call >

    Its been almost three years since the birth of the General Data Protection Regulation (GDPR) in 2018, with its main purpose to protect individuals fundamental rights and freedoms, particularly their right to protection of their personal data. Under Article 37 of the GDPR, it is mandatory for certain organisations to appoint a designated Data Protection Officer (DPO), if they are a public authority or a public body, or their core activities involve large scale, regular and systematic monitoring of individuals, or the processing of special category data on a large scale.

    Organisations that require a DPO under the GDPR:

    1. Hospitals processing patient health records.
    2. County Councils or Local Authorities.
    3. Banks or insurance companies processing customer data.
    4. A search engine processing personal data for behavioural advertising.
    5. Charities processing the personal data of service users, volunteers, and donors.
    6. Schools and Universities.

    The European Data Protection Board recommends as a good practice, that private organisations carrying out public tasks or exercising public authority designate a DPO, even though there is no obligation in such cases.

    When an organisation designates a DPO on a voluntary basis, the requirements under Articles 37 to 39 of the GDPR will apply to their designation, position, and tasks as if the designation had been mandatory.

    Unless it is obvious that an organisation is not required to designate a DPO, the European Data Protection Board recommends that controllers and processors document the internal analysis carried out to determine whether or not a DPO is to be appointed. This analysis is part of the documentation under the accountability principle of the GDPR. It may be required by the supervisory authority and should be updated when necessary, for example if the controllers or the processors undertake new activities or provide new services.

    Data Protection Officer Role

    The GDPR (Articles 37 to 39) recognises the DPO as a key player in the data governance system and sets out conditions for their appointment, position within the organisation and tasks they are expected to carry out.

    In short, the DPO essentially looks after data protection oversight and reporting. They should be a relatively senior person within your organisation with the necessary level of expert knowledge in relation to the data processing operations carried out and the protection required for the personal data being processed.

    1. The DPO’s main purpose is to monitor data protection legal and policy compliance within your organisation, including awareness raising, staff training, incident management, and process auditing.
    2. They should be capable of providing ongoing advice and information on your organisation’s data protection obligations, data management activities, including being easily accessible to management and employees, and advising on and monitoring Data Protection Impact Assessments (DPIAs) and Breach Reporting.
    3. The DPO must be registered with your national data protection supervisory authority, and act as the main point of contact on Data Protection matters.
    4. Article 38 of the GDPR provides that the controller and the processor shall ensure that the DPO is ‘involved, properly and in a timely manner, in all issues which relate to the protection of personal data’. The DPO should be invited to participate regularly in meetings of senior and middle management and the opinion of the DPO must always be given due weight.

    Conflict of Interest

    1. Your DPO can be someone already within the organisation – once there is no conflict of interest with his or her existing professional duties and they have sufficient time to devote to DPO tasks.
    2. As a rule of thumb, conflicting positions within an organisation may include senior management positions such as Chief Executive, Chief Operating, Chief Financial, Chief Medical Officer, Head of
    3. Marketing, Head of Human Resources or Head of IT departments, but also include other roles in the organisational structure if such positions or roles lead to the ‘determination of purposes and means of processing’.
    4. Alternatively, you can appoint a new, dedicated DPO, share a DPO with another organisation, or the legislation allows organisations to outsource the role of DPO to an outside agency or service provider.

    Outsourcing the Role: DPO-as-a-Service

    Outsourcing the role of DPO is the only realistic option for many organisations, and even makes sense for businesses and public bodies that could afford the luxury of employing a DPO in-house. A DPO-as-a-Service offering can be tailored to meet the specific data protection needs of most organisations, with additional benefits such as providing:

    1. A practical and cost-effective solution to achieving GDPR compliance.
    2. Access to Data Privacy compliance technology.
    3. Access to broader DPO expertise.
    4. Experience of best practice in achieving and maintaining GDPR and Data Privacy compliance.
    5. Elimination of any concerns with respect to conflict of interest.
    6. Tried and trusted data management policies and procedures customised for your organisation.
    7. PrivacyEngine provides a DPO-as-a-Service offering that can be tailored to meet the specific data protection needs of any organisation find out more.

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    PrivacyEngine Onboarding Screen