Who should have the role of the DPO?

So, who should be the DPO? Okay, so you’ve decided you need a data protection officer for GDPR compliance, that’s great, but who should it be?


Well, on the surface, choosing a DPO can sound like a difficult problem, but really it isn’t. The DPO has to be a named person and it’s your choice whether it be a full time or part time in the role. That all depend massively on the workload. The best place to start is by looking at what roles you have in place already and it’s quite possible you actually already have a DPO somewhere in the organization or at the very least having informally designated someone previously to do some digging to check this base isn’t already covered. The next step is to exclude your operational it and security personnel. She to a clear conflict of interest.

Choosing the Right DPO

Choosing a Data Protection Officer can sound

The GDPR states that the DPO must not be conflicted by having a jewel role of governing data protection whilst also defining how data is managed. You can’t be both at poacher and gamekeeper.

Now in the real world, this means that an IT manager and IT director, a CTO or CIO, a security manager through all highly unlikely to also be a DPO. Additionally, you may find other positions that represent a conflict of interest such as a marketing manager.

So, the Data Protection Officer role is fundamentally about governance and compliance. In turn, the sits naturally with legal and security governance teams. The larger organizations will have an in house lawyer who could be a DPO. They may also have a separation of operational IT security and security governance teams. Therefore, this separation usually results in the governance function sitting outside of it, which removes that conflict of interest for a DPO. A chief information security officer or a CISO means many things to many people and could sit both inside and outside of it. So, don’t assume that this position could automatically hold the DPO role without conflict.

Knowing that the DPO needs to be a governance type role is one thing, but you’ll need to ensure that they are also recognized as a board level advisor. The DPO is a protected role in that you can’t fire a DPO if they do their job too well, like informing the regulator of a breach. The DPO has to be truly recognized as a high-level role inside the organization and well respected by all.

Your DPO is critical to the success of your GDPR compliance. He needs to understand the business, the data handle and how to interact with the customer base and the regulator. The DPO needs to understand data security to a great level and needs to be up to date with the latest threats to the business and the data it protects. Therefore, one overlook consideration is whether a jewel role.

DPO is really a wise move. You want the very best talent for your DPO and for larger organizations, it’s ratified an existing employee that is of high caliber enough that also has large amounts of spec capacity to take on the role under the GDPR.

The DPO is not a small role, especially in the run-up phase to gain compliance. However, many small to medium size enterprises are well suited to the jewel role. DPO, I know of one personally with the legal counsel is that DPO one use in their head of compliance and one is using their finance director.

There’s no magic answer and no one size fits all, but be prepared for your jewel. DPO feeling pressures on both sides of their job for time and attention.

A common question is: in which team to place a fulltime Data Protection Officer?

Should they report to legal, to the CEO or to the risk department? Well, who their line manager is or what dotted lines they have doesn’t really matter too much as long as they are not conflicted by their reporting line and a freely reporting up to the board.

Lastly, consider appointing a dedicated outside DPO consultants. There’ll be named as your DPO and where your corporate hat. So, this kind of service contract can be a great choice where a DPO is needed, but no current employee can take on the role in hiring somebody will be excessive. Some organizations only need two or three days of DPO per month.

At my company cognition, we provide these virtual DPO services and have a number of customers where we are. The name DPO, the virtual DPO can actually be a team of people. Each providing their own specialty is to make the greater whole and this approach, a specific person is nominated as the leader of that DPO function.