The Data Protection Officer is one of GDPR’s most distinctive governance requirements. Where mandatory, the DPO is not simply a compliance role with a new title. It is a structurally independent function with specific expertise requirements, protected tenure, direct access to senior management, and a set of tasks that cannot be delegated away or subordinated to commercial priorities. Understanding when a DPO is required, what the role must deliver, and how to protect its independence is essential for any organisation operating under GDPR.
This article covers the three mandatory designation triggers in Article 37, the qualifications and tasks defined in Articles 38 and 39, the independence protections that make the role effective, and the governance arrangements that organisations without a mandatory DPO should put in place to ensure adequate privacy oversight.
When a DPO Is Mandatory: Three Triggers
Article 37(1) requires controllers and processors to designate a DPO in three situations. These triggers are cumulative — if any one applies, designation is mandatory for both the controller and any processor in that relationship.
ARTICLE 37(1) — MANDATORY DPO DESIGNATION TRIGGERS
| Trigger | Article | Condition | Common Examples |
|---|---|---|---|
| Public authority or body | 37(1)(a) | The controller or processor is a public authority or body (except courts acting in a judicial capacity) | Government ministries; regulatory agencies; public health bodies; state-owned enterprises in regulatory roles |
| Large-scale systematic monitoring | 37(1)(b) | Core activities require large-scale, regular and systematic monitoring of data subjects | Telecommunications providers; internet service providers; social media platforms; tracking analytics businesses; insurance companies with monitoring programmes |
| Large-scale special category or criminal data processing | 37(1)(c) | Core activities consist of large-scale processing of special category data (Art. 9) or criminal conviction data (Art. 10) | Hospitals and healthcare systems; financial institutions with AML criminal records processing; insurance companies processing health data at scale; data brokers processing sensitive data |
Interpreting ‘Large Scale’ and ‘Core Activities’
Two terms in Article 37(1)(b) and (c) require careful interpretation: ‘large scale’ and ‘core activities’. Neither is defined in GDPR, but the EDPB’s guidelines on DPOs (WP243) provide practical guidance on both.
‘Large scale’ is assessed by reference to: the number of data subjects concerned; the volume of data; the range of different data categories; the geographic extent of the processing; the duration or permanence of the processing; and the scope of the processing. Processing affecting large numbers of individuals in a systematic way — a hospital’s patient record system, a financial institution’s customer database, a platform with millions of users — qualifies as large scale. A single GP practice treating individual patients is given as an example by the EDPB of processing that is not large scale; a hospital is.
‘Core activities’ refers to the key operations of the controller or processor that are necessary to achieve its goals. It does not cover ancillary activities: every organisation processes employee payroll data, but payroll processing is not the core activity of a retail company. By contrast, processing patient data is the core activity of a hospital. Processing financial transaction data is the core activity of a bank. Processing personal data to deliver targeted advertising is the core activity of an ad-tech platform.
| KEY IDEA | The mandatory DPO threshold is lower than many organisations assume. A technology company whose core product involves processing location data, health data, or behavioural profiles at scale is almost certainly required to designate a DPO. Organisations that have concluded they do not need a DPO should document the reasoning — specifically which trigger they have assessed and why it does not apply. An undocumented ‘we don’t need one’ conclusion is not a defensible accountability position. |
Voluntary DPO Designation
Article 37(4) permits controllers and processors to designate a DPO voluntarily, even where it is not required. Organisations that choose to do so must ensure that the DPO meets the same requirements — expertise, tasks, independence, and position — as a mandatory DPO. The status of a voluntarily designated DPO under GDPR is the same as a mandatory DPO in all respects. An organisation that designates a DPO and then fails to give that person the independence, access, and resources the role requires is in a worse position than one that has no DPO at all — it has formally designated someone whose role creates documentation of a governance structure that is not functioning.
DPO Qualifications: Expert Knowledge of Data Protection Law and Practice
Article 37(5) requires the DPO to be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. There is no prescribed qualification, certification, or minimum experience level. The required expertise is assessed against the complexity of the organisation’s processing activities and the sensitivity of the data processed.
DPO COMPETENCY REQUIREMENTS
| Competency Area | What It Involves | Why It Matters |
|---|---|---|
| Data protection law | Deep knowledge of GDPR, member state implementations, EDPB guidelines, DPA decisions | DPO must advise on legal requirements accurately and keep up with regulatory developments |
| Technical understanding | Understanding of data architectures, security measures, IT systems, and privacy-enhancing technologies | DPO must assess technical measures, review DPIAs, and engage credibly with engineering teams |
| Business sector knowledge | Understanding of the organisation’s industry, its regulatory context, and its processing activities | DPO must assess risks in context; generic legal knowledge without sector understanding is insufficient |
| Risk assessment | Ability to identify, assess, and prioritise data protection risks systematically | DPIA oversight and accountability programme management require structured risk thinking |
| Organisational influence | Ability to communicate with senior management, engage cross-functional teams, and drive compliance programmes | DPO must influence without direct authority; the role requires credibility and communication skills |
DPO Independence: The Non-Negotiable Requirements
Articles 38(3) and 38(6) establish the independence requirements that make the DPO role effective. These requirements are not optional — they are conditions of the role’s legitimacy. An organisation that designates a DPO but does not provide the independence the role requires has not complied with Articles 37–39; it has created a nominal DPO whose designation may itself be a compliance failure.
DPO INDEPENDENCE — MANDATORY REQUIREMENTS
| Requirement | Article | What It Prohibits |
|---|---|---|
| No instructions regarding exercise of tasks | 38(3) | No one in the organisation may instruct the DPO on how to perform their data protection tasks or what conclusions to reach |
| No dismissal or penalty for performance of tasks | 38(3) | The DPO cannot be dismissed, demoted, or penalised for performing their role — including giving unwelcome advice |
| Reports directly to highest management level | 38(3) | DPO must have direct access to the board, CEO, or equivalent — not filtered through middle management |
| No conflict of interest | 38(6) | DPO cannot hold other roles that create a conflict with their data protection function — cannot be the CISO, Head of Legal, or any role that determines processing purposes |
| Adequate resources | 38(2) | DPO must be provided with the resources, access to data, and support necessary to carry out their tasks |
| Data subject contact point | 38(4) | Data subjects may contact the DPO on all matters relating to their GDPR rights |
The conflict of interest requirement in Article 38(6) has significant practical implications. A DPO cannot hold a position within the organisation that leads them to determine the purposes and means of processing personal data — because doing so would mean they are simultaneously the person responsible for overseeing their own data processing decisions. This typically rules out the DPO role being held by the CEO, CFO, CTO, CISO, Head of IT, Chief Marketing Officer, or any position with operational authority over data processing.
DPO Tasks: What Article 39 Requires
Article 39 sets out the minimum tasks that the DPO must perform. These are not a job description — they are legal obligations on the controller to ensure the DPO performs these functions. Restricting the DPO’s ability to perform any of these tasks is a violation of Article 38’s access and resource requirements.
ARTICLE 39 — DPO MANDATORY TASKS
| Task | Article 39(1) | In Practice |
|---|---|---|
| Inform and advise the controller/processor and employees on GDPR obligations | 39(1)(a) | Training programmes; advisory opinions; review of new processing activities; legal update briefings |
| Monitor compliance with GDPR and with the controller’s policies | 39(1)(b) | Internal audits; compliance monitoring; review of processing activities against RoPA; gap assessments |
| Provide advice on DPIAs and monitor their performance | 39(1)(c) | Screening new processing activities; reviewing DPIA methodology; signing off completed DPIAs |
| Cooperate with the supervisory authority | 39(1)(d) | Single point of contact for DPA investigations, complaints, prior consultations |
| Act as contact point for the supervisory authority | 39(1)(e) | Receive and respond to DPA correspondence; manage investigation responses |
The DPO’s Position: Not a Decision-Maker
A common misunderstanding about the DPO role is that the DPO is responsible for GDPR compliance. The DPO is not. GDPR compliance is the controller’s responsibility, and that responsibility cannot be delegated to the DPO. The DPO’s role is to advise, inform, monitor, and advocate — not to make compliance decisions on behalf of management.
When management overrides DPO advice — as it is legally entitled to do — the DPO should document the advice given, the management decision, and any concerns about the decision’s compliance implications. This documentation protects both the DPO and creates a governance record. The accountability for the non-compliant decision remains with the controller’s management, not with the DPO who advised against it.
| IMPORTANT | A DPO who acts as the sole compliance decision-maker — approving or rejecting processing activities, signing off on data transfers, authorising consent mechanisms — has taken on controller-level accountability that is inconsistent with their advisory role and creates conflict of interest concerns. The DPO advises; management decides; the accountability structure remains with the controller. |
Privacy Governance for Organisations Without a Mandatory DPO
Organisations that do not meet the mandatory DPO threshold are not exempt from GDPR’s accountability obligations. The accountability principle in Article 5(2) applies to all controllers regardless of whether they have a DPO. The question is not whether privacy governance is required — it is what form that governance should take.
The EDPB’s guidance suggests that all organisations should designate someone with privacy responsibilities, even where a formal DPO is not required. The appropriate level of privacy governance scales with the organisation’s size, the volume and sensitivity of personal data processed, and the risk profile of the processing activities.
PRIVACY GOVERNANCE MODELS BY ORGANISATION SIZE AND RISK PROFILE
| Organisation Type | Suggested Privacy Governance | Minimum Requirements |
|---|---|---|
| Small organisation, low-risk processing (e.g. local services business) | Named privacy contact; basic policy set; annual review | Privacy notice; lawful bases documented; basic retention schedule |
| Medium organisation, moderate-risk processing (e.g. SME with customer database) | Privacy lead with part-time allocation; documented RoPA; annual compliance review | Full RoPA; DPAs with processors; rights procedures; staff training |
| Large organisation, complex processing (mandatory DPO threshold) | Full-time DPO; privacy programme; cross-functional governance | All Art. 37–39 requirements; DPIA programme; compliance monitoring |
| Organisation below DPO threshold but with high-risk processing | Voluntary DPO or external DPO service; DPIAs; enhanced governance | DPIA for high-risk activities; enhanced accountability documentation |
External DPO Services
Article 37(6) permits the DPO function to be fulfilled by an external service provider — a ‘DPO as a service’ arrangement. This is increasingly common for mid-market organisations that need DPO-level expertise but cannot justify or afford a full-time internal hire. The external DPO must meet the same expertise, independence, and task requirements as an internal DPO. The controller must ensure that the external DPO has the access, resources, and management-level reporting relationship that Articles 38 and 39 require.
The contact details of the DPO — whether internal or external — must be published and communicated to supervisory authorities under Article 37(7). Where the DPO is an external service provider, the published contact details should enable data subjects and DPAs to reach the DPO directly, not be filtered through the controller’s general customer service channels.
| BITLION INSIGHT | The DPO role is most effective when it has organisational credibility, management support, and the authority to escalate concerns to the board level. Organisations that invest in a well-qualified DPO with genuine independence consistently demonstrate stronger accountability positions in DPA investigations, handle data subject rights requests more efficiently, and identify compliance risks before they become enforcement events. The DPO is not a cost centre — it is risk management infrastructure. |