Toolkit for the EU GDPR: 1) The Data Protection Officer (DPO)

published on January 4, 2018


This note is part of our series of "Toolkits" on specific key elements of the upcoming EU GDPR (General Data Protection Regulation). If you are an enterprise based in the EU or you hold or process any personal data of any EU citizen you will need to ensure that you are compliant with the GDPR on and following its implementation date of 25 May 2018.

Precisely how the GDPR will be implemented in the UK is currently unclear as the UK legislation is not yet finalised. We nonetheless recommend that a detailed review of data protection policies and procedures are completed ahead of its implementation (and any changes required are implemented ahead of that date as well).

The GDPR does not seek to drastically alter the existing UK regime (under Data Protection Act 1998) but it does add important additional pro-active requirements for compliance and enhanced data subject rights and protections (as well as creating a more uniform EU-wide regime).  


This document is not a comprehensive explanation of the GDPR or the obligations under it and is not intended to provide advice. If you require any advice please contact us on the contact details provided further below.     

​What is the GDPR

The GDPR will replace the existing EU Data Protection Directive 1995 (95/46/EC). It seeks to update the data protection legislation in line with modern changes in technology and the way in which personal information is commonly used, processed and shared.

This note is an overview of a new role introduced by the GDPR, namely the Data Protection Officer (or DPO as it will commonly be referred to). Any enterprise (caught within the GDPR) should start asking itself: why should they not appoint a DPO? The following guidance is intended to help an enterprise determine the right answer to that question. And we suggest the reasons for that final decision are recorded in writing (and approved by the senior management), in either case.




When must you appoint a DPO?

You must appoint a qualified DPO if you are a relevant public authority (but these bodies are outside the focus of this note).


For the private sector you must appoint a DPO if either of these limbs apply to your enterprise:

  • large scale and regular systematic monitoring of individuals (for example, online geo-location tracking); or
  • large scale processing of personal data.


For the GDPR interpretation of "large scale" (which is not defined) you should consider your enterprise to be within nthat meaning if you (globally):


  • employ more than 250 people (on a full time equivalent basis); or
  • process the data of more than 5,000 data subjects in any 12 consecutive calendar months.


For those enterprises lying outside these "large scale" operations, consider creating a lesser "GDPR monitoring" function within your organisation as part of an existing employee's role, even if not appointed to act as your full time DPO.


We would expect nearly all modern-day businesses would process or control some amount of personal data so still consider the GDPR requirements even if you do not require a DPO.


Specific advice should still be obtained before the implementation date if any doubts arise on this issue.


Who will you choose as the DPO?

If you have decided that your enterprise will have a DPO, who is best suited? Typically, the DPO role might be allocated within the existing data and information security positions within the enterprise, or to the legal team. Wherever an existing internal candidate is appointed as the DPO, the relevant individual must be given clear instructions on the role as well as adequate, proportionate and ongoing training.


Any enterprise can contract-out the role of DPO (perhaps attractive to those without existing expertise). However, a dedicated internal point of contact should still be established by the business to oversee that relationship with that external provider. All DPOs must be involved in any decisions concerning the protection of personal data (and at the relevant time too).


Group companies

Where there is a group of connected companies it is permitted to have a single "Group DPO". This point of contact must not be conflicted across the Group and must be "easily accessible to each establishment" (so using a multi-language telephone helpline or online portals will suffice for any international groups).


The DPO and conflicts of interest

All DPOs must robustly avoid having a conflict between any commercial role they might have within the organisation and their duty to ensure the proper processing of personal data as the DPO (with the latter duties always being their primary concern). An effective DPO should be established as a pro-active oversight role who can ask any part of the business to report their practices to them. They must also be accessible to the relevant data subjects outside the business.


In order to avoid any "conflict of interests" it is advisable not to attach the role of DPO to any senior commercial role, such as the CEO or CFO. The senior management team should, however, be aware of the DPO role and be concerned with and receive updates and reports from the DPO. The enterprise should also take timely action required by any DPO recommendations.


The DPO should not be appointed to anyone who is required to regularly make use of any personal data for the organisation (for example, avoid having a DPO based in any direct marketing or consumer-focussed sales teams).


Protections for the DPO from corporate interference

The DPO is a role that is given certain unique protections and privileges under the GDPR, such as the requirement to give the DPO the right to perform their role in an independent and unfettered manner. They are not allowed to be penalised or dismissed for their performance in carrying out the proper requirements of the GDPR (accordingly the businesses should always first seek professional advice where concerns arise about the actions or recommendations of the DPO).


The DPO should also not be starved of the resources needed to perform the role, this will be a question of proportionality but care should be taken to ensure the DPO has the support needed and is also able to freely and directly cooperate with the relevant GDPR supervisory authorities.


DPO – to appoint or not to appoint?

Those wanting to have a DPO when not required to do so (which supports the GDPR concept of "pro-active" compliance behaviour) will still need to ensure the DPO is suitably trained on their DPO requirements and has a clear understanding of the GDPR. A person acting as DPO on a voluntary basis is still not permitted if under-qualified for the role.



Whatever the exact nature of the finalised DPO regime to be adopted by organisations after 25 May 2018 will turn out to be, one common approach should be adopted by all: maintaining proper records as well as up-to-date security policies and practices on data protection. The DPO is a powerful component of that compliance regime. The fines under the GDPR can be substantial (up to 4% of global turnover for the biggest operators) so compliance is worth some upfront investment.


We are happy to help

We are happy to assist you with the implementation of the GDPR and we will also provide further Toolkits on the GDPR and the UK Data Protection Bill. 


 EU GDPR Toolkit for UK


Contact Person Picture

Emma Vickers

+44 121 2278 963

Send inquiry

Contact Person Picture

Jan Eberhardt


+44 121 2278 963

Send inquiry

Deutschland Weltweit Search Menu