The Data Protection Officer, or DPO, causes a lot of confusion. Some appoint one just in case, others ignore the obligation because they do not know it applies to them. Yet the GDPR describes this fairly precisely. It is worth knowing which side of the line your company is on.
When a DPO is mandatory
The GDPR lists three situations in which appointing a DPO is mandatory.
- The processing is carried out by a public authority or body.
- The core activity consists of regular and systematic monitoring of individuals on a large scale.
- The core activity consists of large-scale processing of special categories of data or data relating to convictions.
The key phrases are core activity and large scale. A shop that keeps an ordinary customer list usually does not fall under the obligation. A medical facility, a security company running surveillance or a platform that tracks user behaviour already does.
Large scale in practice
There is no fixed number of records at which large scale begins. You consider the number of people, the scope of data, the duration and the geographical reach. That is why two companies of similar size can have different obligations, depending on what they do.
The most common mistake I see is counting the number of customers only. A company running video surveillance across several sites can process data on a large scale even though it has few customers.
When it is worth appointing a DPO voluntarily
Even without a legal obligation, appointing a DPO can be sensible. It signals maturity, but it also genuinely takes weight off the management board.
- You process sensitive data, even below the large-scale threshold.
- You operate in a regulated sector or serve large organisations that expect it.
- You want a single point of contact for GDPR matters and order in your documentation.
Watch out for one trap. If you appoint a DPO voluntarily, you are bound by the same requirements as with a mandatory appointment: independence, notification to the authority, no conflict of interest. You cannot have a DPO in name only.
What a DPO cannot do
This is the source of many problems in small companies that appoint someone from the management board or the head of IT as DPO.
- A DPO cannot decide on the purposes and means of processing themselves, because they would then be reviewing their own decisions.
- A DPO must have independence and direct contact with top management.
- A DPO needs real time and knowledge, not a role bolted on to a full-time job by force.
This is exactly why combining the DPO role with that of a CEO, IT director or HR head can be a conflict of interest.
What outsourcing the DPO role gives you
For an SME, outsourcing the DPO role often solves all of the above problems at once. An external officer is independent by definition and has experience from many deployments.
- Independence without conflict of interest, because a person outside the structure does not assess their own decisions.
- Up-to-date knowledge of changes in the law and case law.
- Ready-made procedures: handling data subject requests, impact assessments, breach reporting.
- Support in dealing with the supervisory authority and with the people whose data is processed.
- A predictable cost instead of maintaining yet another full-time position.
What to watch for when choosing
Good DPO outsourcing is not a mailbox checked once a quarter. Establish what availability looks like, the response time for an incident and the scope of support during an inspection. Ask about real experience in your sector.
Summary
First check whether a DPO is mandatory for you: public character, large-scale monitoring or special categories of data on a large scale. If not, consider a voluntary appointment where risk and market expectations justify it. In both cases, remember independence and the absence of a conflict of interest.
If you want an independent officer without a full-time hire and without conflicting roles, take a look at our DPO outsourcing. And if you do not know where to start, a good starting point is a GDPR audit, which will show what you really need.