GDPR Data Protection Officer: Who Needs One and What They Do
You have probably heard the term "Data Protection Officer" thrown around in privacy conversations. Maybe a consultant mentioned it. Maybe you spotted it in a competitor's privacy policy. Maybe you are genuinely worried you should have one and do not.
Here is the truth: appointing a GDPR Data Protection Officer is mandatory for some organisations and entirely optional for others. The requirement is not based on company size — it is based on what you actually do with personal data. Get it wrong in either direction and you face problems: appoint when you do not need to (wasted resource, confused accountability) or fail to appoint when you must (enforcement action, fines, and reputational damage).
This guide works through the Article 37 criteria, explains what the GDPR Data Protection Officer role actually involves, and gives you a practical checklist regardless of whether you need one.
When a GDPR Data Protection Officer Is Mandatory
Article 37 of GDPR sets out three situations where appointing a GDPR Data Protection Officer is a legal requirement, not a recommendation.
1. You Are a Public Authority or Body
If you are a government department, local authority, regulatory body, court (except when acting in a judicial capacity), or other public body defined under national law, you must appoint a GDPR Data Protection Officer. Full stop. No size threshold. No volume test. Public authority status alone triggers the obligation.
2. You Carry Out Large-Scale Regular and Systematic Monitoring of Data Subjects
This is where private-sector businesses most often get confused. The test has three elements that must all be satisfied:
- Large-scale: the monitoring must involve significant volumes of data, large numbers of individuals, or wide geographic reach (more on this below)
- Regular: ongoing or recurring — not a one-off exercise
- Systematic: organised, structured, and carried out as part of a deliberate strategy
Classic examples include online advertising networks tracking browsing behaviour across thousands of websites, loyalty programmes profiling millions of members, telecom companies monitoring call records, and location-based apps continuously collecting movement data.
A small analytics setup with a few hundred monthly visitors processed by Google Analytics does not meet the large-scale test. A travel app tracking real-time location for millions of users does.
3. You Process Special Category Data at Large Scale
Special category data under Article 9 includes health and medical data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data about sex life or sexual orientation.
Processing any of these categories at large scale as a core activity triggers the GDPR Data Protection Officer requirement. A hospital processes health data as its core activity — mandatory. A GP practice with 2,000 patients also processes health data, but whether it qualifies as "large-scale" depends on the EDPB's guidance.
What "Large-Scale" Actually Means
The European Data Protection Board (EDPB) has issued guidance on the meaning of large-scale, identifying four factors to weigh:
- Number of data subjects — either as a specific number or as a proportion of the relevant population
- Volume of data and range of data items processed — breadth of data types, not just volume of records
- Duration or permanence of the processing — a short-term project versus ongoing continuous processing
- Geographical extent — local, regional, national, or international reach
No single number defines "large-scale." A regional health network processing 50,000 patient records is almost certainly large-scale. A physiotherapist with 200 clients almost certainly is not. The assessment sits in between, and judgement calls are required.
The EDPB explicitly says that a single doctor treating patients is not large-scale. But a private hospital group processing patient data across multiple facilities in multiple countries clearly is.
Worked Examples
| Organisation | DPO Required? | Reason |
|---|---|---|
| NHS trust | Yes | Public authority; large-scale health data |
| Solo GP practice | Probably not | Health data but not large-scale as core activity |
| Retail loyalty programme (millions of members) | Yes | Large-scale systematic monitoring |
| Small HR team (30 employees) | No | Employee data not large-scale |
| Credit reference agency | Yes | Large-scale systematic monitoring of financial behaviour |
| Startup SaaS with basic analytics | No | Processing incidental, not large-scale |
| National insurance company | Yes | Large-scale special category (health) data |
| Marketing agency running targeted ads | Likely yes | Systematic monitoring at scale |
When a GDPR Data Protection Officer Is Optional but Recommended
Even if you do not technically need a GDPR Data Protection Officer, there are situations where appointing one — or at least designating someone internally to perform similar functions — makes practical sense:
- You process a significant volume of personal data and want expert oversight
- You handle sensitive data that does not quite reach the "large-scale" threshold but poses meaningful risk
- You work with public sector clients who contractually require a DPO contact
- You are scaling rapidly and expect to hit mandatory thresholds soon
- You want to signal trustworthiness to enterprise customers during procurement
The EDPB encourages voluntary appointments and notes that it facilitates compliance regardless of legal obligation.
What a GDPR Data Protection Officer Must Do
Article 39 sets out the mandatory tasks of a GDPR Data Protection Officer. This is not a ceremonial role — it carries substantive responsibilities.
Inform and Advise
The DPO must inform and advise the organisation and its employees carrying out processing about their obligations under GDPR and other EU or national data protection laws. This means proactive education, not just reacting to questions.
Monitor Compliance
The GDPR Data Protection Officer monitors compliance with GDPR, other applicable laws, and the organisation's own data protection policies. This includes assigning data protection responsibilities to individuals across the business, raising awareness, and training staff who are involved in processing operations.
Conduct Audits
The DPO must conduct internal audits to verify that processing activities comply with the rules. These are not box-ticking exercises — they should identify real gaps, document findings, and drive remediation.
Advise on Data Protection Impact Assessments
Where a DPIA is required (high-risk processing under Article 35), the GDPR Data Protection Officer must advise the organisation on how to conduct it and monitor its execution. They do not necessarily run the DPIA themselves but provide expert input and review.
Cooperate with the Supervisory Authority
The DPO serves as the primary liaison between the organisation and the relevant data protection authority (DPA). If the ICO, CNIL, or another authority conducts an investigation or inquiry, the DPO is the contact point.
Serve as Contact Point for Data Subjects
Data subjects — your users, customers, employees — can contact the DPO directly about anything related to the processing of their personal data and the exercise of their rights. The DPO must be accessible and responsive.
DPO Independence: A Hard Requirement
One of the most important and most misunderstood aspects of the GDPR Data Protection Officer role is independence. Article 38 is explicit:
- The DPO must not receive instructions regarding the exercise of their tasks. No one in the organisation can tell the DPO to overlook a compliance problem, soften a finding, or delay a report.
- The DPO cannot be dismissed or penalised for performing their role. If the DPO raises a concern and is subsequently dismissed, that is a GDPR violation in itself — and creates a strong whistleblowing claim.
- The DPO must report directly to the highest management level — typically the board, CEO, or equivalent.
This independence requirement creates genuine tension in smaller organisations where the DPO might also wear other hats. Which brings us to the conflict of interest issue.
Conflicts of Interest
A GDPR Data Protection Officer cannot hold a position that causes a conflict of interest with their DPO role. The EDPB has given examples of roles that are incompatible:
- Head of IT — the DPO cannot audit and monitor systems they are responsible for building and maintaining
- Head of Legal — a legal director who advises on business decisions affecting data cannot independently oversee the compliance of those decisions
- CEO or Managing Director — executive leadership sets strategy; the DPO must be able to challenge that strategy independently
- Head of Marketing — marketing drives the processing the DPO is supposed to monitor
This does not mean a lawyer cannot be a DPO. It means a lawyer who is simultaneously the organisation's chief legal decision-maker probably cannot. Internal DPOs in smaller organisations need careful role scoping to avoid these conflicts.
Internal vs External GDPR Data Protection Officer
You can appoint an employee as your DPO or engage an external provider. Both are explicitly permitted under Article 37(6).
Internal DPO
Pros:
- Deep understanding of the organisation's systems, culture, and data flows
- Available day-to-day without hourly billing
- Easier integration with ongoing business decisions
Cons:
- Independence can be harder to maintain in practice
- Risk of conflicts of interest if the DPO also holds another operational role
- Requires genuine expertise — a DPO must have "expert knowledge of data protection law and practices" (Article 37(5))
- Ongoing training investment required to keep pace with regulatory developments
External DPO
Pros:
- Clear independence from day-to-day organisational pressures
- Specialist expertise often at a lower cost than a full-time hire
- Scalable — you pay for what you need
- Easier to document independence for regulators
Cons:
- Less availability for urgent queries
- Takes time to build organisational knowledge
- Contract management and confidentiality obligations required
For many small and medium-sized organisations, a fractional external GDPR Data Protection Officer is the most practical solution: genuine expertise, genuine independence, without the cost of a senior full-time hire.
The DPO's Position in the Organisation
Regardless of whether your GDPR Data Protection Officer is internal or external, Article 38 sets out structural requirements:
- Access to senior management: the DPO must be able to engage directly with the board or equivalent. Not filtered through a head of operations or legal.
- Adequate resources: the DPO must have the budget, time, staff (if needed), and access to systems necessary to carry out their tasks. A DPO given one afternoon per week and no access to IT systems cannot function.
- Access to data processing activities: the DPO must be able to see what is being processed, how, and by whom. Restricting access to systems or information defeats the purpose of the role.
Registering Your GDPR Data Protection Officer
Most EU Member States require organisations to notify their supervisory authority when they appoint a GDPR Data Protection Officer. In practice this means:
- UK: Register with the ICO — the DPO's contact details are submitted as part of your registration
- Germany: Notify the relevant Landesbeauftragter
- France: Notify the CNIL via their online DPO notification process
- Ireland: Notify the DPC
Even where notification is not technically mandatory, publishing your DPO's contact details in your privacy policy is required under Article 13/14 — data subjects must know who to contact.
What Happens If You Fail to Appoint
Failing to appoint a GDPR Data Protection Officer when one is required falls under the lower tier of GDPR fines: up to €10 million or 2% of global annual turnover, whichever is higher.
Enforcement has happened. The Portuguese supervisory authority (CNPD) fined a hospital €400,000 in part because it failed to have an adequately empowered DPO. The Spanish AEPD has issued fines for inadequate DPO arrangements. The Belgian DPA has ruled that DPOs who were not sufficiently independent did not satisfy the GDPR requirement.
Beyond fines, a missing or inadequate DPO weakens your position in any regulatory investigation. It signals that your data protection governance is not taken seriously — and regulators notice.
Practical Checklist: 6 Steps Whether or Not You Need a DPO
Even if you determine you do not need a GDPR Data Protection Officer, these steps apply to every organisation subject to GDPR:
1. Assess your obligation formally. Work through the Article 37 criteria against your actual processing activities. Document your conclusion and the reasoning — if a regulator asks, you need to show you considered it seriously, not that you just assumed you were exempt.
2. Map your processing activities. You cannot assess whether you need a DPO without understanding what you process. A data inventory or Record of Processing Activities (RoPA) is the foundation.
3. Designate a privacy lead. Even without a formal DPO, someone needs to own data protection internally. This person coordinates DSARs, monitors policy compliance, and is the first point of contact for privacy questions.
4. Publish a privacy contact. Your privacy policy must include a way for data subjects to contact you about their data. Whether it is your DPO's email or a general privacy inbox, it must exist and be monitored.
5. Train staff on data protection basics. Article 39 requires staff awareness even if you have a DPO. If you do not have one, the training burden does not disappear — it distributes across the organisation.
6. Review annually. Your processing activities change. If you launch a new product, acquire a company, or start processing health data, your DPO obligation may change. Build an annual review into your compliance calendar.
How Custodia Helps
Before you can assess your GDPR Data Protection Officer obligation, you need to understand what your organisation actually processes. The first question in any Article 37 analysis is: "What data do we collect, where does it go, and what do we do with it?"
Custodia scans your website and maps your data collection points, trackers, and third-party integrations in 60 seconds. It gives you the foundation — the processing inventory — that makes your DPO assessment meaningful rather than guesswork.
Whether you need to appoint a GDPR Data Protection Officer or simply want to understand your compliance exposure, knowing what you process is where every honest answer starts.
Scan your website with Custodia — free, no signup required.
Last updated: March 27, 2026. This post provides general information about the GDPR Data Protection Officer requirement. It does not constitute legal advice. Consult a qualified privacy professional for advice specific to your organisation's processing activities and legal obligations.
Top comments (0)