What are the responsibilities of a Data Protection Officer (DPO)?

The DPO assists the controller or the processor in all issues relating to the protection of personal data. In particular, the DPO must inform and advise the controller or processor, as well as their employees, of their obligations under data protection law; monitor compliance of the organisation holding personal information with all legislation in relation to data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations; provide advice where a DPIA has been carried out and monitor its performance; act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights; cooperate with DPAs and act as a contact point for DPAs on issues relating to processing;

The organisation must involve the DPO in a timely manner. The DPO must not receive any instructions from the controller or processor for the exercise of their tasks. The DPO reports directly to the highest level of management of the organisation.

Companies that violate this requirement may be subject to fines up to EU$10 million or two percent of the company’s worldwide turnover, whichever is greater.

Hiring a DPO may be necessary for your organization to avoid heavy penalties, up to 4 percent of global revenue or €20 million. Real Code can help you by contracting out some of your data privacy requirements to us where we handle certain tasks and you can interface with processes via our data privacy CRM portal, get in contact and discuss your needs with one of our privacy experts here rather than taking up the time of an existing employee in your company and to avoid any conflict of interest.

What does a DPO do?

The GDPR has increased the demand for DPOs as a point of contact either inhouse employees or contracted out data privacy roles handling these tasks for a far lower cost, but not every organisation is required to appoint one under the Regulation.

Organisations must assess whether they need one and, if so, who they should give that responsibility to. There are some legal requirements that must be met, such as avoiding conflicts of interest, which can prove challenging. Your privacy notice on your website, for example, may be outdated or insufficient, we are in a perfect position to help you draft up and keep revisions of your privacy notice on all your publications.


  • Examples of processing operations which require regular and systematic monitoring of data subjects on a large scale Operating/providing telecommunications networks/services email retargeting profiling/scoring for purposes of risk assessment location tracking loyalty programs
  • Examples of processing of special categories of data or personal data relating to criminal convictions and offences
  • if: at least 20 people are constantly dealing with automated processing as a core activity in your organisation, or the processing is subject to a Data Protection Impact Assessment (Art. 35 GDPR), or Personal data is commercially processed for the purpose of (anonymised) data transfer or for the purpose of market or opinion research.
  • Inform and advise the company and its employees in regard to GDPR and EU Member State law and monitor compliance (including assignment of responsibilities, awareness-raising, training of staff involved in processing operations, and the related audits).
  • The DPO gets support to carry out their data security tasks by providing resources necessary, including financial resources, infrastructure and if necessary staff access to personal data and processing operations

Do we need to appoint a Data Protection Officer?

Under the GDPR (and data protection act), you must appoint a DPO if you are a public authority or body (except for courts acting in their judicial capacity); your core data processing activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.

Regardless of whether the General Data Protection Regulation obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability. You must provide contact details of your DPO on your website in order to direct Subject Access Requests to, our contracted-out services help towards this obligation you must fulfil.

If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.

Our professionals with their expert knowledge can carry out Data Protection Impact Assessments of your organisation or offer training staff for days on-site at your company to ensure your employees are aware of their data responsibilities, find out more details and book a call back here.