Data Protection Officer

Data Protection Officer

The DPO is a position that the vast majority of companies will not need as they are either too small or do not carry out enough processing or profiling (see our interactive GDPR law). However you should undergo a formal assessment and make sure that you have written reasons as to your choice in case of any future enquiry.

Even if it is not obligatory, you can still appoint a DPO (art. 37). In any case, you must appoint a DPO if:

– you are a public authority or body
– if your work involves processing operations that amount to regular and systematic observation of individuals on a large scale
– if your job involves processing of special personal data on a large scale (see Step 2).

However, any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR. There is no specific training or certification needed for a DPO. What is required is they are familiar with the GDPR and with your organisation. They do not have to undergo any specific courses but you should ensure that they keep themselves up to date on all relevant issues and future legislation. They will manage any contact with the Data protection authority of your country.