“Should I appoint a data protection officer (DPO)?” is a question that many small and medium-sized business owners ask themselves as they try to navigate data protection and privacy laws. If you’re unsure about what a DPO does, why your business might benefit from one, and where to begin with appointing one, this guide is for you.
We’ve divided the guide into four parts:
- What is a DPO (what do they do, what are their main responsibilities)
- Do I need a DPO (how to comply with GDPR, and what happens if you don’t)
- Who can be a DPO (hiring internally, outsourcing the role)
- How to appoint a DPO (tips and guidance on how to find the right DPO)
Part 1: What is a DPO?
Data protection officers play a vital role in overseeing the correct handling of personal data within a business. They act as a key intermediary between the organization and other parties, specifically the data protection regulators and clients or data subjects who have data protection queries.
What terminology will I encounter when working with DPOs?
- A data subject is an identified or identifiable living individual to whom personal data relates
- A controller is a person, public authority, agency or other body, which alone or jointly with others, determines the purposes and means of the processing of personal data.
- A processor is a person, public authority, agency or other body, which processes personal data on behalf of the controller.
If you’re wondering whether you’re a controller or a processor (or both?!), you can find out by looking at the personal data and the processing activity that is taking place. For different data processing activities, you may be a controller, a joint controller, or a processor.
If you make any decisions that determine the purposes and means of the data processing, then you’re a controller. ontrollers (including joint controllers) have a lot more obligations than processors under GDPR rules, as they hold ultimate control, and bear ultimate responsibility for ensuring compliance with GDPR.
👉 Get GDPR support for your business
What does a DPO do?
Your DPO is your go-to-person for all data protection matters and issues in your business. As a business, you may find yourself needing to handle personal data in your day-to-day business activities. Your DPO will help you do so safely, monitoring and minimizing any risks of data breaches.
The tasks of the DPO are set out under Article 39 of the UK and EU GDPR. In a nutshell, data protection officers help businesses by:
- Informing and advising data controllers, data processors and employees of their specific and general data protection obligations.
- Providing advice on data protection impact assessments (DPIAs)
- Monitoring GDPR compliance within and across a business, including advising on any audits, raising awareness of data protection obligations, and setting out staff training
- Acting as a formal point of contact with the data protection regulator, and liaising with them when necessary.
- Acting as a direct point of contact for the general public, who can ask the DPO about your company’s data processing activities.
📚 Learn more: what's the difference between GDPR Representatives and DPOs?
What are the 5 key responsibilities of a DPO?
You may have heard that DPOs have key responsibilities that they must carry out. These are:
- Advising the business on all data protection matters, especially if risk assessments indicate risks to ‘data subjects’
- Providing data protection and privacy training for all staff
- Monitoring the business’s compliance with applicable data protection laws
- Supporting the business with data handling issues, especially during periods of growth and change
- Proactively cooperating and communicating with regulating authorities, especially during data breaches and other privacy concerns
Remember, DPOs only act in an oversight capacity, so your DPO is not ultimately responsible for ensuring that your business is compliant with data protection laws.
💡 Worth checking: The Ultimate Privacy Compliance Guide
Which legal framework introduced DPOs?
The GDPR, the General Data Protection Regulation, is a European Union framework enacted in 2018 to protect the data of individuals residing in the EU. This includes data collected, handled and processed by any organization, inside or outside the EU.
The EU’s GDPR rules have been used as a blueprint by many other countries around the world. After leaving the EU, the UK enacted the ‘UK GDPR’, which is identical to the original legislation. As a result of GDPR legislation in the UK and EU, any organization that handles, processes, collects, stores, or so much as touches personal data belonging to a data subject would need to observe data privacy rules.
📚Learn more: what is GDPR?
GDPR and DPOs
GDPR does not explicitly require every organization to hire a data protection officer. However, all organizations should take a risk-averse approach when deciding if they need a DPO. A good starting point is to simply assume that you do need a DPO.
An essential part of complying with data protection rules is that you are able to clearly demonstrate how you are meeting the requirements as they apply to your business. In addition to this, a key principle of the GDPR is accountability. Engaging a DPO who holds the right expertise and knowledge for the role is key to demonstrating that you are taking the principle of accountability seriously.
👉 Get a Virtual Data Protection Officer
Are DPOs solely responsible for data protection compliance at your business?
As owner of your business, you are ultimately responsible for complying with GDPR and data protection laws. This means that should a breach occur, your DPO won’t be liable. This is because, as stated earlier, one of your DPO’s primary purposes is to help you minimize the risks that are inherent when processing personal data. Your DPO will help you avoid breaches and handle them should they occur. However, your business holds ultimate responsibility for remaining compliant with data protection laws.
📚 Read more: should you use a DPO or an AI Ethics officer to stay compliant with AI regulations?
Part 2: Do I need a DPO?
Often, founders will ask “Is hiring a DPO worth it?” - appointing a DPO can feel like a disproportionate expense that could be sidestepped. If you’ve ever found yourself thinking “my business only handles a small amount of data and that data isn’t even that sensitive, so do I really need a DPO?”.
The answer, in most cases, is yes. In situations where you only process data belonging to a small group of individuals and the rules don’t technically require you hire a DPO, it might be in your best interest to appoint one anyway. Let’s take a closer look at the laws and regulations around DPOs.
Does GDPR require me to have a DPO?
Under Article 37 of GDPR, if your organization meets the following criteria, you have to appoint a DPO:
- You are a public authority and you process personal data
- Your core activities require large scale, frequent, and systematic monitoring of data subjects (individuals), and process data as a core activity of the business
- Your core activities consist of processing of special categories of data, data relating to criminal matters (offenses, convictions, etc), and especially if you’re processing large volumes of this type of data
Additionally, if your business does any of the following activities listed below, then it is highly likely that you will be expected to appoint a DPO, to effectively protect the data and data subjects whose data you are processing.
- You use innovative technologies (like AI) to process data
- You process data in a way that may be regarded as privacy-intrusive
- You process data in a way that may have serious consequences for the data subjects (e.g. automated decision-making with a legal or similar significant effect)
Lastly, if you’re processing data that belongs to a vulnerable category of data subjects, like children’s data, then you should appoint a DPO.
Do my business’s ‘core activities’ require me to hire a DPO?
Do you need to process personal data to meet your key business objectives? If the answer is yes, then data processing is a core business activity, and you must hire a DPO. Even if you don’t think you’re performing ‘mass surveillance’, the reality is that if you’re planning on handling personal data on a large scale, you more than likely will need a DPO.
Does my business process ‘special categories’ of data?
Special categories of data include:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic and biometric
- sex life or sexual orientation
- health data
If your business processes any of this sort of data, then it is highly likely that you will have to appoint a DPO.
What factors don’t matter when figuring out if I need a DPO?
As the focus is on the nature and volume of the data that you process as part of your core business activities, the following factors don’t matter when deciding if you need a DPO:
- Your business size
- The number of employees in your business
How much could you save by hiring a DPO?
“To answer this question, it’s better to think about how much you could lose by not hiring a DPO,” says Bogdan Pashynskyi, Head of Privacy at Legal Nodes. “DPOs perform specific tasks that significantly contribute to protecting organizations’ against data breaches and the associated costs that come with them. Whilst it may seem like an unnecessary expense, the costs associated with poor data protection hygiene can be astronomical, and the damage to data subjects, your business, and even your industry shouldn’t be underestimated.”
In 2023, the global average cost of a data breach was 4.45 million USD and the average cost of a data breach in the US was 9.48 million USD.
A 2023 IBM report analyzed data breaches that ranged between 2,160 and 101,200 compromised records. They calculated that the average cost incurred per record was 165 USD.
Areas which you might see costs related to data breaches include:
- Detection and escalation (forensic, investigative, audit activities; crisis management)
- Notification (emails, letters, outbound calls, general notices to data subjects; communication with regulators; engagement of external experts)
- Post-breach response (help desk, inbound communications; victim identity protection services; issuing of new accounts; legal costs; product discounts; regulatory fines)
- Lost business (business disruption, revenue lost due to system downtime; customer acquisition, customer departure loss; reputational damage)
DPOs help to prevent any of these future costs associated with data breaches by performing several critical roles that mitigate data breach risks. These include tasks like monitoring compliance with policies related to the protection of personal data, assigning responsibilities, raising awareness, and training staff.
DPOs also streamline the data incident process by putting more effective policies in place and also train your employees on how to handle data matters properly. This offers a scalable time saving benefit to any business, and has a tangible impact on the value that each employee can deliver, even when no data breach occurs.
What happens if a regulator thinks I should have a DPO, and I don’t?
Under GDPR, regulating bodies can inflict sanctions on your organization if they find that you are in violation of the rules. In the UK, the Information Commissioner’s Office (ICO) can take action against businesses that fail to comply with data protection laws. This includes civil monetary penalties and director disqualifications. Across Europe, national regulatory bodies have been set up in each country that falls under EU GDPR scope, and the European Data Protection Board provides independent regulatory oversight across all of the EU.
In situations of DPO-specific violations, very high fines could be incurred. According to the EU GDPR website:
“The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.”
According to the ICO’s website:
“The standard maximum amount … is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”
Failure to appoint a DPO when you require one could result in a fine. The absence of a DPO may also lead to more serious violations of the privacy regulations, because your organization will have failed to engage a privacy professional to bring your activities into compliance with the rules.
The takeaway here is that if a DPO plays an important or necessary role in meeting your data protection obligations, and you haven’t appointed one yet, then you may be putting yourself and your business in a position of unnecessary risk.
What happens if I choose not to appoint a DPO?
If you’re sure that you don’t need a DPO and can handle your data protection matters yourself, or give the responsibilities to a designated individual in your organization, there are a few things you need to do.
- Record your reasons for not hiring a DPO
- Keep these records as this information can help you explain and defend your decisions to data protection regulators if asked about it
👉 Get a GDPR support package tailored to your business
Part 3: Who can perform the role of DPO?
Although there are no specific qualifications that DPOs must acquire, this doesn’t mean that anyone can take on the role of DPO. Data protection officers are required to have substantial knowledge of data protection laws and experience in handling privacy and data protection matters.
Some DPOs will have more experience handling special categories of data, or with working in specific industry sectors, or with large volumes of certain types of data. Consequently, when deciding who can hold the role of DPO for your business, it’s best to find a DPO who has experience working in businesses like yours, so that they are more than capable of performing the role.
How to choose the right DPO for your business
Start by deciding what you need your DPO for. Do you need your DPO to:
- Set up completely new processes and act as your business’s first ever DPO?
- Replace a previous DPO or join a data protection team?
- Support an existing team by auditing and polishing internal processes?
Some DPOs will have a lot of experience handling DPO matters for smaller companies. Others will have a track record of working with existing data protection teams to hone processes and provide an external perspective. If you need to replace a DPO for some reason (maybe your business activities have changed and therefore your DPO role has evolved) then make sure your DPO is a good fit for your company’s current and future profile.
Once you’re clear about what your DPO needs to do, make sure you find someone who has experience in both your sector and with handling data protection matters connected to your type and volume of business activities.
As Bogdan Pashynskyi, Head of Privacy at Legal Nodes expains,
“your DPO should have a solid understanding of data protection matters in the industry that your business operates within. So if your business is in Web3, it is paramount that you find a DPO who operates within that niche. They must have a clear understanding of the Web3 industry, the applicable regulations, and the privacy considerations that might arise within your specific business.”
Which certifications do DPOs hold?
The most important and widely accepted certifications are the IAPP certifications, which include CIPP, CIPM, CIPT, etc. Some EU countries offer an official certification for DPOs, such as the ‘Certificación de Delegado de protección de datos’ in Spain. Ultimately, the IAPP certifications are the most widely recognised and are largely accepted as the gold standard of sufficient expert privacy knowledge.
From a business owner’s perspective, these certifications can be a helpful indication of a professional’s solid knowledge of the data protection laws and knowledge of how to implement an effective privacy program within an organization.
Could someone in your team be appointed as your DPO?
Yes! You don’t need to hire externally for the DPO role. If you have a member of staff who can fill the role effectively, then you can appoint the individual as your DPO. Bear in mind that the employee’s new DPO responsibilities should not be in conflict with any responsibilities of their previous role. Be careful with hiring internally, as it may seem like a convenient and cost-effective move, but could actually put your business at risk of non-compliance with privacy laws; your redeployed staff member must have the requisite privacy experience to act as DPO for your business.
Can you outsource the role of a DPO?
Yes. Many businesses outsource the role of a DPO to an individual, agency or DPO subscription service. At Legal Nodes, we regularly support businesses with GDPR matters, including by providing support with a virtual data protection officer.
Your DPO helps you minimize risks that are inherent when processing personal data. Whilst you might be able to protect data in accordance with GDPR without a DPO, hiring one helps ensure that you do so compliantly. The DPO will take on the role of increasing data protection best practices in your organization, ongoing monitoring of data protection matters, and providing that valuable point of contact for both regulators and for the general public.
As Bogdan Pashynskyi, Head of Privacy at Legal Nodes explains;
“in some cases, using an external DPO allows large enterprises to receive valuable advice for a much lower price. This is because external DPOs are often more exposed to different privacy regulations across the globe and usually consist of a team of experts working together, instead of one sole expert.”
This is why small and medium-sized enterprises tend to rely on externally sourced DPOs as a cost-effective way of meeting GDPR requirements without hiring a full-time employee. Often, companies can simply pay a subscription and have an external service provider perform the same DPO role as an employee of the business would.
Why choose a DPO subscription from Legal Nodes?
Our DPOs have over 8 years of privacy experience and a wealth of expertise gained through exposure to various industries and regulations both within and outside of the EU. Along with a deep understanding of the privacy regulations, best practices and regulators’ expectations, we know how to clearly communicate with globally distributed stakeholders, including management, developers and product teams.
Our DPOs take a business-oriented approach to all data protection matters. Privacy compliance is about balancing business needs with regulatory requirements, so we always ensure that business interests are at the forefront of decisions whilst simultaneously ensuring protection of data subjects’ data and compliance with the rules. Consequently, the cost of our DPO subscriptions reflect the needs of each business, providing effective solutions at a fair price.
Part 4: How to appoint a DPO
First, find a suitable DPO. You can use DPO subscription services, as this way you’ll be able to get a DPO with the right expertise and experience, without having to hire and train them up internally.
Second, speak with the individual who you wish to appoint as DPO. Make sure that they’re suitable for the role and are a good fit for your business.
Finally, you will need to enter into a written agreement with your DPO, either in the form of a service agreement or appointment order, before you begin working with your DPO.
What is a DPO appointment certificate?
If you choose to appoint a DPO that you have hired externally, then you can arrange this under a service contract.
Alternatively, you can draft an appointment certificate, which includes the following details:
- Client details (this is your company information)
- Contractor details (the DPO’s information)
- The date that the contractor will begin acting as a DPO (the beginning date of the activity)
- The duties that the DPO will perform, which must be in accordance with Article 39 of GDPR
- Risk assessment and confidentiality obligations, as per Article 39 of GDPR
👉 Appoint a DPO for your organization
Who can appoint a DPO in the company?
As the DPO will report to top management in your business, it’s important that the person who makes the official appointment is a key decision maker within the business that is acting as the data controller.
What happens when you successfully appoint a DPO?
Once this appointment is made, it must be declared to the relevant supervisory body. You must also publish the contact details of the DPO onto your website or other appropriate location, so that the general public can easily access this information and contact your DPO with any data protection concerns. It should also be easy for your employees to access your DPO’s contact information, and the regulatory authorities.
Although you’re not required to disclose the name of the DPO when publishing their contact details, it can be a helpful or necessary step to do so.
How can you check that your DPO is acting in compliance with GDPR?
As your DPO is not responsible for ensuring you are complying with GDPR, you should always be mindful that your DPO’s failure to perform can get your business in hot water.
There are several steps you can take to help your DPO help you. These are set out under Article 38 of the GDPR, which imposes obligations on controllers and processors to support DPOs. Consequently, when appointing a DPO, you must:
- Thoroughly engage your DPO, and ensure they receive all the information they need about data protection issues as soon as reasonably practicable.
- Provide your DPO with all the resources, information and training that they need to perform their role effectively.
- Obligate your DPO to regularly report back to either the management board or an appropriate managerial group so that communication to the highest decision-makers is open to the DPO.
- Enable your DPO to act independently and in an unfettered manner.
- Make sure that your DPO does not suffer any sort of prejudice for performing their role. As your DPO has to handle difficult situations of data breaches and also act ‘at arm’s length’ from other employees, this can sometimes create conflict in teams.
- Make sure there’s no conflict of interests if your DPO is also responsible for performing other tasks and duties within your organization.
Tips for choosing your DPO:
- Make sure that your DPO has both experience and expert knowledge of data protection law, and that they have the relevant credentials and evidence of their capacity to perform the role.
- Your DPO should have good knowledge of your industry or sector, and of the data processing activities (type, volume, etc) that your specific business encounters.
- Your DPO will be the face of your business when dealing with regulators and with members of the public, so choose your DPO wisely, as they will play a key role in effective communication regarding your data protection issues.
Get a DPO subscription from Legal Nodes
If you need help with your GDPR compliance, and need a data protection officer to help minimize data protection risks and support your business as it operates and grows, Legal Nodes can help. We support business owners by:
- Providing a DPO with expert knowledge in your specific industry or type of data that you process
- Engaging an external DPO to polish up your internal processes and provide new perspectives on processes like LIAs, DPIAs, and data breach assessments.
- Helping you to quickly find and appoint the right DPO for your organization.
Our DPO subscriptions give you the privacy support you need to avoid fines and penalties, and show your customers and partners that you treat data protection as a serious matter.