GDPR: Who should fill the DPO role?

The EU General Data Protection Regulation (GDPR) requires many organisations to appoint a data protection officer (DPO). The role calls for people with expert knowledge of data protection law and practices, as they are responsible for organisations’ data protection strategies and their compliance with the GDPR.

Although only certain organisations need to appoint a DPO, the Article 29 Working Party recommends that all organisations appoint one as a matter of good practice.

The DPO role can be filled by a new or existing employee or contracted externally. How organisations fill this role will likely depend on the factors outlined here.


Finding qualified staff

According to a white paper published last year by the International Association of Privacy Professionals, the GDPR created a demand for 75,000 DPOs. As the compliance deadline approaches, that demand is still present. Our GDPR Report found that 50.5% of respondents said their organisation’s current workforce isn’t equipped to implement a compliance project.

This means that, even if you wanted to hire someone to fulfil the DPO requirements, you might not find anyone qualified. Some organisations will be able to get around this by outsourcing the role to someone who can fill the DPO role for multiple companies. Other organisations will need a dedicated DPO to handle a larger workload.

The good news is that more people are training to become DPOs as they spot the need for qualified personnel and the generous salary that the position offers.

A Beginner’s Guide to the Data Protection Officer (DPO)Free PDF download: A Beginner’s Guide to the Data Protection Officer (DPO)

Download the guide >>


The other way of looking at the lack of qualified staff is that it’s inconvenient to find and train someone to fill the DPO role. If an organisation is able to attract an experienced and qualified data protection professional, they can prepare for the GDPR much more quickly.

It is equally convenient to contract out the DPO role. However, organisations should note that they, not the DPO, are responsible for complying with the GDPR. In other words, should the external DPO fail to comply with Regulation, the organisation will be liable for any punishment.


Control and flexibility

An internal DPO gives organisations more control over their privacy programme, but an external DPO gives them more flexibility, allowing them to adjust the DPO’s tasks depending on business needs. For example, if an organisation collects and stores more data at short notice (if it runs a competition, for example), an external DPO is more likely to be prepared for the increased workload.


Our training courses

If you’re looking to gain the expertise to fill the DPO role, you should consider enrolling on our Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course.

This course helps you gain a practical understanding of the tools and methods for implementing and managing an effective compliance framework. It focuses on how the data protection principles work in practice, the policies and procedures necessary, and practical guidance on how to implement an effective privacy and information security compliance programme.

Find out more about our Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.