As data protection regulations become more stringent, the DPO (data protection officer) role has become increasingly critical for organisations.
In a recent webinar, Dr Loredana Tassone explored the legal requirements for a DPO, the common pitfalls when appointing internal DPOs and why outsourcing this function might be the smart choice for many organisations seeking to avoid conflicts of interest while ensuring expertise and independence.
This blog post provides an overview of what was discussed.
When must you appoint a DPO?
According to the GDPR, controllers and processors must designate a DPO in three specific situations:
- When the processing is carried out by a public authority or body
- When core activities require regular and systematic monitoring of data subjects on a large scale
- When core activities involve large-scale processing of special categories of data or personal data relating to criminal convictions and offenses
The GDPR doesn’t explicitly define terms like “core activities”, “systematic monitoring” or “large scale”. However, guidance from the EDPB (European Data Protection Board) and national supervisory authorities – including the UK’s ICO (Information Commissioner’s Office) – helps clarify these concepts:
- ‘Core activities’ are the primary business operations necessary to achieve the controller’s or processor’s goals, not ancillary functions like payroll or IT support.
- ‘Large scale’ considers the number of data subjects affected, the volume of data, the duration of processing and the geographical extent.
- ‘Regular and systematic monitoring’ includes ongoing tracking, profiling and data-driven business activities.
Even when not mandatory, appointing a DPO voluntarily can demonstrate a commitment to data protection and provide valuable expertise in navigating complex compliance requirements.
The position and role of a DPO
The GDPR specifies that a DPO must be appointed based on professional qualities and expert knowledge of data protection law.
While legal qualifications aren’t explicitly required, the DPO must have sufficient expertise to understand complex legal decisions and their practical implications for the organisation.
Key requirements for the DPO position include:
- Being involved in all issues relating to data protection
- Being provided with necessary resources to carry out their tasks
- Operating independently without receiving instructions
- Reporting directly to the highest management level
- Not being dismissed or penalized for performing their tasks
- Being accessible to data subjects and supervisory authorities
- Being bound by confidentiality
The DPO’s responsibilities include:
- Informing and advising the organisation on data protection obligations
- Monitoring compliance with the GDPR and other data protection provisions
- Providing advice on data protection impact assessments
- Cooperating with supervisory authorities
- Acting as a contact point for supervisory authorities
- Handling queries from data subjects
Independence and conflicts of interest: a critical challenge
One of the most significant challenges is ensuring the DPO’s independence and avoiding conflicts of interest. The EDPB’s 2023 coordinated enforcement action found numerous concerns about conflicts of interest, particularly when DPOs held additional roles in IT, compliance or legal departments.
Article 38(6) of the GDPR states that the DPO may fulfil other tasks and duties, but the organisation must ensure that these do not result in a conflict of interest. In practice, this has proven difficult for many organisations.
Listen to the free webinar
Want to know more about the DPO role and its requirements under the GDPR? Download the webinar recording to learn more about the DPO’s responsibilities and why outsourcing the role reduces your compliance risks.
Notable cases involving DPO conflicts of interest
- German Retailer Case (2020)
Fine: €525,000
Issue: The DPO was also the managing director of subsidiaries and responsible for data processing operations, creating a fundamental conflict of interest through strong decision-making powers.
- Belgian DPA Case (2020)
Fine: €75,000
Issue: The DPO also served as the compliance officer, a dual role that undermined independence.
- Spanish AEPD Case (2021)
Fine: €100,000
Issue: The DPO reported directly to senior management in a way that compromised independence, as organisational pressure influenced decisions.
- Austrian DPA Case (2024)
Fine: €5,000
Issue: A laboratory’s managing director was appointed as DPO during the COVID-19 pandemic. Even in this small organisation, the conflict was deemed unacceptable.
Common problematic dual roles include:
- IT Director/CISO and DPO
- HR Director and DPO
- Marketing Director and DPO
- Senior management positions and DPO
The Court of Justice of the European Union has clarified that while DPOs can perform other roles, they cannot hold positions where they would be “marking their own homework” or monitoring their own work. Any decision-making role over data processing creates an inherent conflict of interest.
Benefits of outsourcing the DPO role
Given these challenges, outsourcing the DPO role has become an attractive option for many organisations. The benefits include:
- Elimination of conflicts of interest
External DPOs don’t have competing responsibilities within your organisation - Guaranteed independence
External DPOs can provide unbiased advice without fear of organisational repercussions - Access to specialised expertise
Professional DPO service providers stay current with the latest regulatory developments, case law, and best practices - Cost-effectiveness
Outsourced DPO services often cost less than hiring a full-time expert, particularly for smaller organisations - Continuity of service
External DPO services typically provide backup personnel, ensuring coverage during illness or holidays - Established relationships with authorities
Experienced DPO service providers often have established working relationships with supervisory authorities - Proven compliance frameworks
Access to tested methodologies and templates for effective compliance
Importantly, no fines have been issued specifically related to outsourced DPOs, whereas numerous fines have been levied against organisations with internal DPOs in conflict-of-interest situations.
Checklist: appointing a DPO
Whether you choose to appoint an internal DPO or outsource the role, consider the following steps:
- Establish if there is a mandatory requirement to appoint a DPO under the GDPR
- Assess the pros and cons of internal appointment versus outsourcing
- If appointing internally, carefully evaluate potential conflicts of interest
- Check the professional qualifications and expertise of the DPO
- Ensure the DPO has sufficient resources and organisational support
- Develop standard procedures for how the DPO will function within your organisation
- Register the DPO with relevant supervisory authorities
- Update privacy notices with DPO contact information
DPO as a Service
DPO as a Service provides a practical solution. You get a truly independent, expert DPO with deep legal and operational expertise, helping you maintain compliance without stalling growth.
It includes:
- A dedicated DPO, with unlimited phone and email support during UK business hours
- Registration with the appropriate supervisory authority
- A first-year GDPR gap analysis with a remedial action plan
- Legal review of your GDPR documentation
- Support creating your record of processing activities (Article 30)
- Expert guidance on DPIAs, DSARs, breach monitoring and reporting
- An annual compliance audit (from year two onward)
- Monthly activity updates and quarterly management reporting
- Monthly newsletter with the latest on data protection
The post The Critical Role of a DPO: Why Outsourcing is the Smart Choice appeared first on IT Governance Blog.
