Library / Glossary

Data Protection Officer (DPO)

An independent role with responsibility for advising on, and monitoring compliance with, GDPR within an organisation.

Also: DPO

A Data Protection Officer is an individual (employee or contractor) appointed by a controller or processor to oversee data protection strategy and compliance. GDPR Article 37 makes a DPO mandatory in three situations:

  1. Public authorities and bodies (with very narrow exceptions for courts).
  2. Core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.
  3. Core activities consist of large-scale processing of special categories of data or of data relating to criminal convictions and offences.

Many organisations not strictly required to have a DPO appoint one anyway, either as best practice or because their data subjects, customers, or B2B prospects expect one.

The independence requirements

A DPO must:

  • Be independent. Article 38(3) prohibits dismissal or penalty for performing DPO tasks. The DPO reports to the highest management level.
  • Avoid conflicts of interest. Article 38(6) prohibits other tasks that would conflict — typically excluding senior roles in IT, marketing, HR, or any function that determines processing purposes.
  • Be qualified. Expert knowledge of data protection law and practices, proportionate to the complexity of the processing.
  • Be reachable. Contact details must be published and communicated to the supervisory authority.

A single DPO can serve multiple group entities. An external DPO (a contracted individual or firm) is permitted.

The DPO and vendor monitoring

The DPO's job (Article 39) includes monitoring compliance with GDPR, including the management of processing activities. In practice, this means the DPO is the person who:

  • Reviews new vendor onboarding from a privacy perspective.
  • Approves DPIAs.
  • Investigates breaches reported by processors.
  • Coordinates DSAR responses across vendors.
  • Is the named point of contact when a regulator wants to discuss a vendor relationship.

A DPO without a working vendor inventory and ongoing change-monitoring is operating blind. This is a major reason vendor-monitoring tooling exists at all: the DPO is on the hook for what vendors do, and "I didn't know they added that subprocessor" is not a viable answer to a supervisory authority.

Related terms