DPO and The GDPR

DPO and The GDPR

dpo_featured image

Written by Luciano Castro

 dpo_featured image


DPO stands for “data protection officer”, and GDPR for “general data protection regulation”

If you are reading these lines, then you are probably one of  5,300 US companies that have been heavily struck by the invalidation of Privacy Shield in July this summer. Although the dust around it hasn’t settled yet there’s no time to be idle and to wait. Our previous white paper already explored the topic of the GDPR and Privacy Shield, so in case you missed it, you can read it on our White Papers page. With so many puzzling questions and somewhat ambiguous answers coming from the EU and the US officials respectively, it appears that seemingly unimportant, but in reality, a crucial part, has been severely neglected and almost omitted- the role of the DPO in becoming GDPR compliant.

Some of the burning questions regarding the DPO are:


  • Who is actually the DPO? What is their exact job?
  • Isn’t using a tool like cookiebot enough to make my company GDPR compliant?
  • Does my business need the DPO at all?


We’ll try to shed some light on these questions and provide a bit of insight into this complex topic. One thing that can be said with 100% guarantee ( even before addressing this topic) is that you can’t, nor you should, do the hassle around the GDPR on your own.  And I think you know it.


DPO definition


But first things first, let’s start with the definition of the DPO. The DPO stands for Data Protection Officer. Under the article 37 of GDPR  it is a mandatory role for all companies that collect or process EU citizens’ personal data. Furthermore, DPOs are responsible for educating the company and its employees about compliance, training staff involved in data processing, and conducting regular security audits. DPOs also serve as the point of contact between the company and any Supervisory Authorities that supervise activities related to data. Apart from the previously mentioned descriptions, there is really a broad range of responsibilities that DPOs have, so we are just going to list a few additional ones here:

Monitoring performance and providing advice on the impact of data protection efforts

Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request

Interfacing with data subjects to inform them about how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information


The Regulation also stipulates that the DPO reports directly to top level management and must be given all resources necessary to carry out their functions.


And although there might be many vague areas regarding the whole topic of GDPR and the role of DPO in general, the article 37 specifies that the DPO needs to have “expert knowledge of data protection law and practices.” Another important thing that should be mentioned is that the DPO shouldn’t have a conflict of interest. In other words, they mustn’t have any current duties or responsibilities that are in conflict with their monitoring responsibilities. And if you thought that the only fine you might pay is one for not being GDPR compliant, you are in for a not so pleasant surprise when it comes to violating the above mentioned requirement about the lack of conflict of interest. If your company fails to meet this requirement, you might end up paying up to EU$10 million or two percent of the company’s worldwide turnover.

So, getting back to the role of the DPO. The role of the DPO is to help what the GDPR describes as data ‘Controllers’ and ‘Processors’ comply with data protection law and avoid the risks that organisations face when processing personal data. The next logical question would probably be: “OK, so what do a controller and processor do?”

The article 4(7) says “Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others determines the purposes and means of the processing of personal data.” To put it simply, it means the organisation responsible for making decisions about personal data.

For Data Processor article 4 (8) of the Regulation says… “Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” In other words, data processors are  service providers providing outsourced services to the controller such as marketing, accounting and HR services. In doing so, they deal with or store personal information data in accordance with the instructions of the controller.

DPO is not personally responsible for GDPR compliance of the organization, it is always a controller or the processor who is required to demonstrate compliance. The controller or the processor is obligated to provide all necessary tools, resources and personnel to enable DPO to perform tasks.


dpo_line of duty image

DPO’s line of duty Source: dataprivacymanager.net


As it’s already been mentioned, there are many confusions and quite ambiguous things when it comes to GDPR, Privacy Shield and DPO. It’s not exactly clear when you need one. It’s assumed that you do unless you can prove you don’t ( so much for disambiguation).You should definitely consider hiring a DPO in case where:

The processing is carried out by a ‘public authority’
The ‘core activities’ require regular and systematic monitoring of data subjects on a ‘large scale’.
Where ‘core activities’ involve ‘large scale’ processing of ‘special categories’ of personal data and relating to criminal convictions and offences.

And although there has been a controversy whether SMEs should fall under the DPO, they should. There shouldn’t be a DPO exemption for these types of business.

If your organisation has already made some inquiries about the GDPR, you have probably encountered a term “cookie consent”. Cookie consent refers to getting permission from your website visitors to collect personal data. Cookiebot is getting a lot of attention right now. A problem with the tools like these is that it may be that the visitors to your website might be giving their consent without even knowing it. Sometimes it’s obvious because your visitors need to click OK on the tracking notice, but sometimes even scrolling past the tracking notice means they have given implied consent. And that’s where the problem lies-it’s not really clear if GDPOR is violated in this case, and to make matters even worse, it seems as if each company has their own interpretation of what giving consent means to them. And  a new study by researchers at MIT, UCL and Aarhus University suggests that most cookie consents pop-ups are most likely defying privacy laws. Furthermore, their study concluded that a majority of the current implementations of cookie notices offer no meaningful choice to Europe’s Internet users — even though EU law requires one. The Court of Justice of the European Union also further clarify the law around cookies, making it clear that “consent must be actively signaled — meaning a digital service cannot infer consent to tracking by indirect actions (such as the pop-up being closed by the user without a response or ignored in favor of interacting with the service).”  In the perfect worlds, web visitors should have the option to choose not to be tracked as easily as to give their consent. However, that’s still  far-fetched.


Implicit consent

Implicit consent — aka (illegally) inferring consent via non-affirmative user actions (such as the user visiting or scrolling on the website or a failure to respond to a consent pop-up or closing it without a response) — was found to be common (32.5%) among the studied sites. (source:techcrunch.com)

Moreover, it seems that rejecting tracking was more difficult than accepting it,with a majority (50.1%) of studied sites not having a “reject all” button. While only a tiny minority (12.6%) of sites had a ‘reject all’ button accessible with the same or fewer number of clicks as an “accept all” button. (source:techcrunch.com)

And the further the study explored this topic, the more illegal things started popping up on the surface. Pre-ticked boxes were found to be widely deployed as well, although such a setting isn’t legally valid. “56.2% of sites pre-ticked optional vendors or purposes/categories, with 54.1% of sites pre-ticking optional purposes, 32.3% pre-ticking optional categories, and 30.3% pre-ticking both.”


DPO and third-party trackers

In addition, there is a high number of third-party trackers routinely being used by sites. This represents a major problem for the EU consent model because it takes a lot of time for visitors to become clearly informed enough to be able to legally consent.

All of this doesn’t say that there shouldn’t be any cookie consent, but it merely tries to show how lack of the standardized enforcement regarding this topic can create many challenges both for the entrepreneurs and clients. In reality, only  a very few pop-ups are GDPR compliant.  On top of everything, it emphasizes once again how important it is to have a team experienced in dealing with GDPR and its subparts. And this brings us back to a hero of this article, a DPO.


By this point, your head is probably already quite filled with all the information, so it might not harm to do a bit of a recap to help you process everything and to underline why a DPO is such an important figure. As we could have already seen, a role of the DPO is really versatile and covers many areas, but at its core it’s all about protection of privacy. And privacy protection is currently a very hot topic, and it will continue to be one. Thus, appointing a DPO will give you a competitive advantage and you will get a person who acts as an intermediary between stakeholders. DPO should operate independently, with full support from upper management and board, and have access to all needed resources to do the job according to best practices. Although the GDPR doesn’t specify the exact qualities that a DPO should have, it does provide recommended sets of qualities and skills. The following image sums it up nicely.


dpo and designation_infographic


Designation of the Data Protection Officer source:dataprivacymanager.net


Obviously, the nature of your business will define the DPO’s necessary skills, but regardless of your industry it should be a professional experienced in data protection laws. After everything being written, these might be the most common requirements for a DPO:


  • Background and expertise in legal, data compliance, audit or IT security
  • Knowledge of data protection legislation, particularly GDPR and alike national laws
  • Relevant work experience of monitoring compliance with regulatory requirements and engaging with regulatory bodies
  • Experienced in the operational application of privacy law
  • Familiarity with computer security systems
  • Experience in managing data breaches
  • Experience in cooperation with supervisory authorities of any kind
  • Understanding the environment in which business operates and associated data protection risks
  • Experience in conducting data protection impact assessments
  • Understanding GDPR requirements


Find out what DPO requirements in your country are:

Source: https://dataprivacymanager.net/


The size of your company will also affect what type of a DPO you might need, It could be a full-time DPO, it could be a “shared” DPO (provided there isn’t a conflict of interest), or it could be more of a consultant. But the bottom line is: you need one!


It is very well possible that this article posed even more questions for you, which just shows what a complex topic this is and that you are most likely in need of professional GDPR guidance. Everything related to the GDPR is everything but a one- man show. There needs to be a team of experts who would steer you through the rough waters of GDPR sea, help you fight the waves of many changes happening almost overnight, help your company’s ship make it safely to the shore with no casualties and without taking the wind out of your sails.


For more information on GDPR, Privacy Shield and DPO, don’t hesitate to visit our GDPR Compliance page and check for free if your company is GDPR ready or compliant and if not, how our experienced team of project managers and lawyers can assist you.

We recommend these articles from Luciano Castro:



Sources: ascentor.co.uk



Contact information


Castro & Partners - P. IVA: 02325360515
Via Mannini 19, 52100, Arezzo - Italy

Phone: +39 0692949345
Contact: [email protected]



PRINCE2®, MSP®, P3O®, ITIL®, M_o_R®, MoV®, P3M3®, PRINCE Agile® and MoP®
are registered trademarks of AXELOS Limited. All rights reserved.

PMBoK® and PMP® is owned by the Project Management Institute.