With mandatory DPOs looming, answering business FAQs: Part two

Editor's Note:

This is the second in a two-part series of Perspectives posts on the hiring of data protection officers in the EU. In part one, Gonca Dhont discussed when organizations should hire a DPO, differences between DPOs and CPOs, the types of knowledge base candidates should have, and much more. 

We have 20 separate legal entities across five countries in Europe. All are required to appoint a DPO as per the Regulation. Can we not just appoint a single in-house DPO to serve all of them?

Although the GDPR in principle replaces national data protection laws, some local differences will remain. These differences can be found in local laws other than data protection, in DPA reflexes and in the expectations of the citizens. Moreover, we expect the DPO to be the face of the company to the external world (DPAs and data subjects) and this task will require local language skills. Therefore, make sure your DPO has the necessary skills to address these local differences while performing tasks across different Member States.

The dream solution would be to appoint a DPO per country but given the budgetary challenges in our community, it remains a dream. Perhaps a more reasonable approach would be to group similar jurisdictions (e. g. South Europe, the Nordics) and appoint a DPO per each group.

Our DPO will assist all of our European entities. In which European country should we locate the person? Can we locate him or her outside Europe?

There seems to be no limitation on the base location of the DPO as long as she or he is easily accessible from each entity. By “easy accessibility” we do not think that the drafters meant physical accessibility but more the easiness of reaching out to the DPO for guidance. This should not be an issue, thanks to the current communication technology.

Can you locate the DPO outside Europe? Answer this first: Can your DPO really build a strong bond with your European business remotely? It is a brand new role. Regardless of the DPO location, it will be difficult for the rest of the organization to understand why the person is there and who she or he serves. Keeping the person in another continent far from his or her internal clients may have a negative impact on the person’s acceptance. Plus, the DPO needs to work with the DPAs very closely and this may include last-minute meetings!

Will the DPO report to our CPO?

Not directly; unless your CPO is the highest management level in any of your European entities. Check your organization chart to see the highest management level of your European entity. Needless to say, while your DPO is a direct report of the local management, she or he can also be connected to your CPO with a dotted-line. This is not a new working model for companies with matrix structures.

If multiple entities of the same group share a single in-house DPO, what will the reporting line look like?

Although the DPO will be officially employed by one of the legal entities, she or he would have a solid-line reporting relationship with the highest management levels of all entities in the scope. This situation must be made clear to the employee right from the start. Next to this, you must properly inform the top management of your local entities about this role, the person’s tasks and their own responsibilities, as explained in the Regulation.

Is it true that the DPO will work totally independently while performing his or her job? No one in an organization is independent.

In our view, the phrase “no instructions” in the Regulation refers to an operational independence to fulfil the key tasks. As a subject-matter-expert, the DPO is there to help your organization to reach business targets in a compliant way. She or he must be able to provide advice freely on the compliant course of action. The decision to follow this expert’s advice ultimately lies with the business.

What is the minimum period for a DPO appointment?​

There is no limitation on the length of this tenure.

What is the personal liability of the DPO for compliance failures?

There is no indication that the DPO can be held personally liable for cases of non-compliance.

Is it true that the DPOs cannot be dismissed once they are officially appointed?

The Regulation says that you cannot dismiss or penalize the DPO just because the person is doing his or her job (e.g. cooperation with the local DPA). If the person has another role in addition to being a DPO, this protection applies only for the DPO tasks.

Does it make sense to look internally first within the organization before hiring a DPO from outside?

From a talent management perspective, always. Once you have defined your ideal candidate profile, scan your organization to see whether any of your employees meet the criteria and have a little chat to confirm the person’s interest for a full-time DPO job.

If the decision is not to create a full-time headcount but to give the DPO tasks to an existing staff member, there are a couple of points to which you need to pay attention. The first one is the proper estimation of the DPO’s workload with tasks ranging from advising to monitoring, training and interactions with the external world. The job can even get heavier if we speak of a large organization with various business lines and services. Are you sure all of this can be done with a part-time resource?

Secondly, you need to make sure that the person’s DPO tasks will not conflict with his or her regular function. Which functions are not compatible with the DPO tasks and may create a conflict of interest? These could be the ones which are typically related to the “monitoring” task of the DPO; functions either too close to the data flows and processing (e.g. HR, marketing, product development, vendor management), the ones which are responsible for information security systems (e.g. IT, information security), or a function which by nature require defending corporate interests (e.g. legal).

If you cannot find the right DPO profile from within the organization, you will need to recruit a good DPO externally.

What other options do we have if we do not want to create a permanent headcount?

You can search for a knowledgeable and experienced professional who will work on the basis of a service contract. So far, it has been quite common for companies across Europe to hire an external privacy consultant for a specific project (e.g. a PIA for a new software launch). With the Regulation, now there is the possibility to assign such an expert on an ongoing basis and with an official DPO title.

Businesses have some concerns at this point. One of them is the possible negative perception of an “outsider,” just as it happens with other external consultants. Note that, even for an in-house DPO, it will take some time to build the right perception within the company (an advisor? a policeman?) and gain acceptance. This may get more challenging if the person is an external.

Some are also concerned that an external DPO would not have sufficient knowledge of the business and this could result in less compliance. This depends on the amount of time the external DPO will spend at your organization. If you take this person on a full-time basis and the only difference to a regular employee would be the contract type, then the initial onboarding period won’t be longer than any other new person on an employment contract. Going forward, as the external DPO is timely involved in all matters and works closely with the teams she or he will gather sufficient knowledge on your business.

You may make a combination of in-house and external DPOs, too. In that case, you may wish to consider factors such as the size of your entities, type of data/processing which impact their risk levels and the general level of awareness for privacy within each entity.

If we decide to recruit an external DPO to assist a group of legal entities, does the DPO need to sign a service contract with each of them?

Depending on your procurement practises, one of the entities which has the authority to represent others, can sign the service contract with the DPO. Make sure this contract lists all entities which will benefit from the DPOs services, the correct reporting lines and possibly also how the DPOs time will be split between entities. Another option is to allow each entity signing its own contract with the DPO, but this may prove to be impractical.

We are a non-EU based company subject to the Regulation and to the DPO provisions. How will we appoint a DPO, where should we locate the person, who should s/he report to?

Appointing an external DPO on the basis of a service contract could be a solution. As for the location, you can position your DPO in the Member State where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. Your DPO would report to the highest management level of your company.

Finding the right DPO, and in a timely manner, will be a challenge for every business, but it can definitely be planned better!

Written By

Gonca Dhont, CIPP/E, CIPM


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»