DPO Toolkit


Are you a data protection officer? Are you trying to staff your DPO position? You’ve come to the right place. This DPO Toolkit has a number of resources that should be instrumental in performing this vital role in the privacy field.

From a sample job description to research on how much training is required of a DPO to get baseline GDPR knowledge, the following set of resources are regularly updated.

You may also want to avail yourself of one of the more valuable IAPP member benefits: The IAPP Privacy List. This listserv may deliver a lot of email to your inbox, but that email will be filled with valuable advice from your peers in the privacy and data protection community. See what questions other DPOs are asking, and tap into the vast knowledge base that exists among the IAPP’s membership around the globe.

Featured Resources

DPO Requirements
by Country

Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional instances in which a DPO is recommended but not required.
Read More

DPO requirements in India’s proposed PDPB

The final report from a Joint Parliamentary Committee charged with reviewing India’s Data Protection Bill offered several changes before the proposal goes before Indian Parliament, including the addition of a requirement for large technology companies to appoint DPO’s tasked with ensuring organizational compliance.
Read More

DPO Handbook: DPOs Under the GDPR

This book provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s new General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset.
Read More

Latest News and Resources

Top 5 operational impacts of China's PIPL: Part 3 — Personal information protection officer

China's Personal Information Protection Law introduces the position of "personal information protection officer" — akin to the data protection officer role under the EU General Data Protection Regulation. When the amount of personal information processed by an organization reaches the threshold specified by the national cybersecurity administration authority, it is mandatory to appoint a PIPO to supervise the processing activities and protective measures implemented.  Definition of personal inf... Read More

The value of a UK representative: A response to the DPDI Bill

In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process.... Read More

ANPD updates guidance on processing agents, DPOs

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, released an updated version of its guidance on definitions of data processing agents and data protection officers. The guidance includes revisions on concepts for controllers, joint controllers, processors, subprocessors and DPOs, as well as practical examples of each role. The ANPD said the updates work to clear up "issues that have generated the most doubts" among those covered by the law.Full Story... Read More

What is a DPO?

DPO Job Description

Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. This description is intended to be a jumping off point for you to create one that fits the needs of your organization. Read More

Data Protection Officers: A Definitive Guide

This series of articles, produced by Freevacy, provide extensive guidance on the position, tasks, and employment of a DPO, along with information about whether your organisation needs to make such an appointment and how to meet compliance if you choose not to put a DPO in place. Click To View ... Read More

5 questions about DPOs

1.) What is a DPO, anyway? What are they even supposed to do? In a nutshell, the data protection officer is a senior adviser with oversight of how your organization handles personal data. Specifically, DPOs should be able to: Inform and advise your organization and staff about their privacy compliance obligations (with respect to the EU General Data Protection Regulation and other data protection laws). Monitor privacy compliance, which includes managing internal data protection activities,... Read More

DPO Handbook: Data Protection Officers Under the GDPR, 2nd Edition

Author: Thomas Shaw, CIPP/E, CIPP/USPurchase PrintPurchase Digital DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s new General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset. The book then describes in detail the vari... Read More

Hiring a DPO

Here’s some information to help both organizations and potential DPOs know what to look for, what a DPO contract should include, a sample job description and more. Additionally, we encourage you to view the IAPP Privacy Vendor List to find organizations that offer DPO services.

Sample DPO Service Agreement

Published: July 2018Click To View (PDF) Now that the GDPR is in effect, many organizations need data protection officers. However, not all organizations can or need to staff the DPO role in-house — and the regulation does not require organizations to do so; Article 37(6) allows for the data protection officer role to be filled using a service contract. But what should a DPO service contract look like? The IAPP offers this sample document as a starting point for organizations considering the e... Read More

DPO Job Description

Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. This description is intended to be a jumping off point for you to create one that fits the needs of your organization. Read More

DPO Contract Provisions

Published: April 2018 The following are a minimum set of provisions an outsourced DPO contract should have. It must be emphasized that no contract should be drafted without undergoing legal review, especially as it relates to provisions impacted by local laws. There will also be a set of legal provisions common to any contract that is not shown below. Parties: The controller’s or processor’s legal entity is one party, and the DPO firm or individual is the other party. DPO’s services: At a m... Read More

GDPR Appointment of Data Protection Officer Letter

This toolkit from TermsFeed outlines whether organizations need to comply with the EU General Data Protection Regulation, especially regarding the appointment of a data protection officer. They explain the role of the DPO, how to determine whether you need one, and how to put together a compliant Appointment of Data Protection Officer Letter.  Click To View ... Read More

How to ensure you appoint an independent DPO

In light of recent regulator action regarding data protection officer independence, it's an important moment to consider the ethical and practical considerations surrounding the appointment of a DPO. A sporting analogy is helpful here: The essential question to consider is can one player be a coach and a referee? Arguably not. A referee (or DPO) must be in a position to freely advise on the rules of the game, monitor compliance and, ultimately, give a red card without fear of reprisals from own... Read More

DPO Training

Knowing and Implementing the GDPR Web Conference Series

Spanning hundreds of sections – and with vast territorial scope – the EU General Data Protection Regulation is clearly the most important privacy regulation the world has seen in decades. It asks a great deal of organizations all over the world who collect and process data about European individuals. It imposes hefty fines on those who fail to comply. What do you need to know to get started? What are the initial steps that every organization needs to take to implement the GDPR? In this three-pa... Read More

Ask the DPO – Web Conference Series

Last Updated: December 2017 As most privacy professionals know by now, the GDPR came into force in May of 2018. The list of data governance issues to be tackled is large, with many new requirements for anyone doing business with EU citizens. Many organizations, in fact, will have to appoint a data protection officer with specific tasks and responsibilities. Given these new demands, the IAPP has arranged for DPOs and privacy leaders who run some of the world’s leading privacy programs at organ... Read More

eBook – Top 10 operational responses to the GDPR

Published: March 2018Click To Access In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mapping Part 2: Lawfu... Read More

View More Resources

About the job

Get some insight on the things potential DPOs and the organizations hiring them need to consider here.

Web Conference: How the Role of the CPO and CISO Has Evolved to Meet Privacy Obligations

Original broadcast date: 24 May 2021  An expert panel of CPOs and CISOs across various industries examined how their roles have evolved as global privacy regulatory requirements have increased. They shared how they have structured their security/privacy organization to meet regulatory requirements and the challenges of managing a global privacy program with matrixed teams. Practical examples provided regarding the use of technology (IoT, inventories, DSARs, etc.) to reduce privacy risks and projects that resulted in fantastic success. Finally, these leaders offered their personal perspectives on how their organization has structured the roles of both the CPO and CISO. Read More

FIFA DPO: Working to make the world of football better through privacy

Growing up in Portugal, where football is “absolutely sport number one,” Jorge Oliveira, CIPM, has had a lifelong passion for the game. As he found his professional passion in privacy — growing his career in data protection at companies ranging from engineering to health care — Oliveira stayed connected to football, catching up on matches at the end of the workday. [caption id="attachment_409897" align="alignright" width="262"] FIFA's head of data protection, Jorge Oliveira.[/caption] Oliveira... Read More

The Future State CIO: How the role will drive innovation

This report from NASCIO and Accenture looks at what role the state chief information officer plays as catalyst and convener to drive innovation, how do state IT organizations build the capacity to innovate, and where are the best practices that drive this and how does the state CIO of the future embrace new and emerging technologies to create the best government outcomes, among other questions.  Click To View (PDF) ... Read More

DPOs seek more tools to measure job efficacy, progress

Progress is generally gauged through reflection and evaluation, and a person’s career is a prime example of where progress checkpoints are crucial. Those evaluations, or a lack thereof, are proving to be few and far between for companies and their data privacy officers. According to officers interviewed by The Privacy Advisor, measurements for DPO efficacy are largely non-existent, leaving DPOs to self-assess their work and its effect on their company. "Part of it is that some organizations ju... Read More

Building a Compliant Program

The challenges DPAs, DPOs face to operationalize privacy at scale

Businesses and data protection authorities are both facing challenges from a complex digital and legal ecosystem with a limited set of resources. That notion was clear during a panel presentation during the final day of the 41st Annual International Conference on Data Protection and Privacy Commissioners in Tirana, Albania.  "We need to operationalize privacy at scale," said Microsoft Corporate Vice President, Deputy General Counsel and Chief Privacy Officer Julie Brill. "Ensuring there are ope... Read More

Framework for Demonstrable GDPR Compliance

Nymity Research has identified 39 articles under the GDPR that require evidence of a technical or organizational measure to demonstrate compliance and has mapped these to the Nymity Privacy Management Accountability Framework. The result is the identification of 55 “primary” technical and organizational measures that, if implemented, may produce documentation that will help demonstrate ongoing compliance with your GDPR compliance obligations. The document also identifies additional technical and... Read More

Forget about defining a DPO; define the data protection committee instead

Data protection professionals and organization management officers share a common question: Who should the data protection officer be? Some argue that a legal professional is most suitable for this role; some argue that an operations professional is the natural pick. This article suggests it’s not the background of a DPO but rather whether a data protection committee exists that would prove critical to an organization’s data protection efforts. Why has the talk been about a legal professional? ... Read More

DPO Report Template

This slide deck created by the IAPP research team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation. Read More

View More Resources