Understanding the Role and Responsibilities of the DPO

Written by Nicky Whiting on 15/05/2020

The need for data protection regulation

In 2018, the world’s trust was shaken. That year, it was revealed that Cambridge Analytica had furtively harvested data left exposed by Facebook. The information of over 87 million individuals was exploited to assemble voter profiles and customise the distribution of political advertisements in the run up to the 2016 US Presidential Election as well as Brexit. Through bombarding individuals with tailored propaganda, particularly targeting those on the fence, the UK-based political consulting firm played a hand in swaying the ballot in their client’s favour.

In other words, having Donald Trump sworn in as the 45th president of the United States and sealing the British ‘Leave EU’ vote. The algorithm and database have since been likened to a psychological warfare tool, threatening our privacy rights as well as jeopardising the foundations of our democracy. With data overtaking oil as the most valuable resource, this scandal further reinforced the need for data protection laws, including the European General Data Protection Regulations (GDPR) introduced only a couple of months later.

With data overtaking oil as the most valuable resource, the Cambridge Analytica scandal further reinforced the need for data protection laws.

Unfortunately, reports suggest that many organisations have yet to achieve compliance with GDPR. Over a year after its implementation in 2018, a study conducted by Egress discovered that more than half of businesses (52%) are not fully compliant with GDPR regulations. British Airways and Marriott International are two of the more high profile cases of organisations who simply had not implemented adequate safeguarding measures, subjecting them to £183 million and £99 million in fines, respectively. GDPR compliance is an involved process that cannot be achieved overnight. Rather, it is an ongoing learning curve that requires time as well as someone qualified and well-versed to oversee its implementation and long-term compliance as part of the business’ operations. That person is a Data Protection Officer (DPO) and, among the many new rules GDPR has implemented, is a further tightening of the requirements and criteria for this key role.


Enter the Data Protection Officer

While there are certain scenarios that legally demand the appointment of a DPO, most organisations will likely handle large amounts of personal data and risk jeopardising their reputation among its existing and potential customers if breached. As such, it remains advisable for any and all organisations to appoint a DPO. The only key point to note here is that, regardless if the appointment of a DPO is mandatory or not, all DPOs will need to conform to the criteria set forth by the European Data Protection Board. A DPO has many responsibilities in an organisation including:

1. Acting as the liaison between the company, the data subjects and regulatory bodies

The DPO acts as the contact point for both the data subjects and the supervisory authority (in the UK this is the Information Commissioners Office (ICO)). They have to be prepared to answer any questions, offer advice and respond to any data subject access requests. The DPO will be registered with the ICO and their contact details will be made available to data subjects via privacy notices.

2. Identifying and ensuring the delivery of training and awareness programmes for employees and contractors

The DPO needs to understand the roles and responsibilities within the business, identify training needs and source suitable training solutions. In addition to this, awareness raising through regular updates and notification emails will be the responsibility of the DPO to promote a culture of data protection within the company.

3. Complying with article 30 of GDPR

The DPO will need to have a complete and regularly updated record of the processing activities of the business. This will involve working closely with different departments to understand how personal data is processed across the business. This might also involve activities such as data flow mapping.

4. Conducting regular audits to ensure compliance is maintained and ensuring policies and procedures are regularly reviewed and updated where required

The DPO will need to ensure that compliance is being maintained by implementing an audit plan to review existing policies and procedures and ensure they are being followed. Equally, as the business changes, policies and procedures will need to be updated to reflect these changes.

5. Overseeing/supervising Data Protection Impact Assessments (DPIAs)

The DPO will need to have a good understanding of when a DPIA is mandatory, a good understanding of risk and be able to guide different departments in the business through the DPIA process. The DPO will also be responsible for any prior consultation with the ICO relating to high-risk activities identified by a DPIA that cannot be mitigated.

6. Managing a data breach

The DPO has to fully understand the requirements of GDPR in relation to reporting breaches and ensure there is a fully tested process in place to deal with breaches in the business. DPOs will need to ensure breaches are recorded correctly and lessons are learnt to prevent the same thing happening again.

7. Keeping up to date with the latest data privacy legislation and rulings by the EDPB and Supervisory Authorities

Given that GDPR is a relatively new law, there are still a lot of unknowns regarding its interpretation. The DPO plays a key role in ensuring the business is informed of new guidance from regulatory authorities and also understands how new privacy legislation might affect the business.

As such, the European Data Protection Board stipulates that the DPO must have an in-depth understanding of GDPR as well as information technology and data security. They should also be well-informed about the business and its industry.

Most organisations will likely handle large amounts of personal data and risk jeopardising their reputation

What GDPR says about a DPO

When a company appoints a DPO, it needs to meet the requirements of the role as defined in GDPR and by later guidance from the EDPB:

Having an in-depth understanding of GDPR as well as information technology and data security

This can sometimes be a difficult skillset to find. Many DPOs come from a legal background as they need to be able to understand and interpret the law, however many may not have a solid understanding of data security and technology.

Avoiding a conflict of interest

Alongside the necessary expertise and attributes, one of the key requirements is that the DPO needs to act in an unbiased and independent manner. In other words, any other tasks that an individual performs outside of their DPO role cannot cause a conflict of interest. Frequently, organisations believe that because of the overlapping skills and qualifications, a CISO or IT Manager can also be the DPO.

However, this would lead the CISO/IT Manager monitoring themselves, essentially marking their own homework, which is a conflict of interest. Therefore, the CISO/IT Manager can play a supporting role but should not be the DPO. The same can be said of an individual working in human resources, marketing, customer service etc. If they are a controller or processor of personal data, they cannot be a DPO.

Reporting to highest levels of management and autonomy

DPOs must directly report to the highest management level and should not receive any instructions about their overall performance of duties. They should have full authority of their own budget, which allows them to:

  • Conduct site visits
  • Hire a team to fill in any skills gaps, or to provide support in case of a crisis/security issue
  • Ensure employees receive the necessary security training
  • Invest in educational material and events
  • Become a member of associations for DPOs and privacy professionals, including the IAPP

Furthermore, they should have the mandate to conduct investigations without fear of reprisals. Indeed, no disciplinary action can be enacted against the DPO for the advice they offer. Equally, they are not personally liable if the advice given was not actioned by the organisation.

How to Hire a Data Protection Officer

A complete guide to your best options


Difficulties in appointing a DPO

The role of the DPO should not be underestimated or taken for granted. With an experienced and knowledgeable DPO, an organisation will fare much better in achieving regulatory compliance. This is both beneficial in avoiding the steep fines that come with non-compliance, as well as maintaining their reputation as a respected and dependable company in the eyes of the public. Unfortunately, selecting a DPO is often not a straightforward undertaking.

For instance, the DPO’s scope of work might be dependent on the organisation they work in. On the one hand, taking someone on part-time may not be sufficient to address all duties. On the other, having someone full-time might leave them without enough to do. In the latter case, difficulties may also arise when seeking other tasks they could undertake which do not lead to a conflict of interest.

Another consideration is whether there is someone within the organisation with the necessary expertise. For smaller organisations, employees tend to wear many hats, making it difficult to single out an independent DPO. For other, perhaps larger organisations, the DPO might come from a legal background however, they might not be as acquainted with information technology and data security. Even if a business were to invest both the money and time to train the individual, this does not guarantee that they will have sufficient experience to successfully manage the challenging ordeal of a data breach. Moreover, if the DPO were to fall sick or go on a holiday, the organisation would also have to be prepared to have someone competent to cover for their absence.

With an experienced and knowledgeable DPO, an organisation will fare much better in achieving regulatory compliance

Outsourcing the DPO as an alternative

For these reasons, an organisation may wish to outsource the DPO role, which offers a range of advantages.

  1. 1

    On the whole, this option is often more cost-effective. By outsourcing, an organisation will have the liberty to tailor their DPO’s working hours according to their needs. They can also save on recruitment costs.

  2. 2

    Holiday and sickness cover will not be an issue as an outsourced DPO service will provide cover according to a contracted service level.

  3. 3

    They typically possess the relevant qualifications, such as being a Certified Data Protection Officer (C-DPO) and/or GDPR Practitioner.

  4. 4

    The fact that they work with several companies promises a wealth of experience and knowledge. They may already have a tried-and-tested response plan, or at the minimum, they will know what data needs to be assembled and how to present this to regulators. This saves organisations from the time-consuming and costly affair of training an employee. It also puts the organisation in a better position to maintain regulatory compliance as well as manage a data breach, should one occur.

  5. 5

    The outsourced DPO is completely independent of the company, resulting in improved objective advice.

  6. 6

    Additionally, Bulletproof has a unique position of benefitting from wider cybersecurity and legal teams that can support the DPO behind-the-scenes with technical or legal advice and guidance. As such, rather than depending on the experience of one sole individual, Bulletproof has the expertise of a comprehensive team.

There are many factors to consider when looking to appoint a DPO and there is no one size fits all. While the search for the right DPO may at first present itself as a burden, it is worth investing the time – especially as the stakes have never been higher, both on a reputational and financial front. If you would like to discuss your DPO requirements, or find out more about Bulletproof’s Outsourced DPO packages, designed to suit any organisation size, please get in touch by emailing contact@bulletproof.co.uk or give us a call on 01428 532 900.




  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.