DPO Toolkit


Are you a data protection officer? Are you trying to staff your DPO position? You’ve come to the right place. This DPO Toolkit has a number of resources that should be instrumental in performing this vital role in the privacy field.

From a sample job description to research on how much training is required of a DPO to get baseline GDPR knowledge, the following set of resources are regularly updated.

You may also want to avail yourself of one of the more valuable IAPP member benefits: The IAPP Privacy List. This listserv may deliver a lot of email to your inbox, but that email will be filled with valuable advice from your peers in the privacy and data protection community. See what questions other DPOs are asking, and tap into the vast knowledge base that exists among the IAPP’s membership around the globe.

Featured Resources

The EDPB’s year of the DPO

The EDPB’s coordinated enforcement action focused on the role of the DPO. This article examines the legal requirements for DPOs and breaks down the role’s designation, position and tasks as set out in the GDPR.
Read More

EDPB launches coordinated enforcement on role of DPOs

The EDPB announced its 2023 coordinated enforcement action will focus on the designation and position of DPOs. In this second initiative under the Coordinated Enforcement Framework, 26 DPA’s will seek to gauge whether DPOs have the organizational position required by Articles 37-39 of the GDPR and the resources needed to conduct their work.
Read More

DPO Handbook: DPOs Under the GDPR

This book provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s new General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset.
Read More

Latest News and Resources

Data Protection Officer Requirements by Country

Increasingly, privacy and data protection laws around the world require organizations to designate a data protection officer to translate legal protections into practical reality. This chart catalogues those requirements but does not include the many additional instances in which a DPO is recommended but not required. Read More

Can the roles of DPO and whistleblowing officer be merged?

Personal data protection and whistleblowing are two different topics — different regulations with different purposes, scope and requirements. But, in fact, they are closer than they seem, especially for practical reasons. Both data protection governance and whistleblowing systems are often exercised by the same unit —  the compliance department — or even by the same person. This solution offers several advantages, but also some problematic points that need to be highlighted and clarified in adv... Read More

The value of a UK representative: A response to the DPDI Bill

In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process.... Read More

CJEU issues ruling on DPOs and conflict of interest

Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed. In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and metho... Read More

Sweden’s DPA publishes DPO survey
(IAPP, January 2023)
AEPD reports 100K registered DPOs
(IAPP, January 2023)
Datatilsynet (Norway) – Data Protection Officer Survey 2020/21
(Datatilsynet, May 2022)
ANPD updates guidance on processing agents, DPOs
(IAPP, April 2022)
DPOs in Israel — An analysis of a regulatory maze
(IAPP, February 2022)
Top 5 operational impacts of China’s PIPL: Part 3 — Personal information protection officer
(IAPP, February 2022)
An examination of the DPO requirements in India’s proposed Data Protection Bill
(IAPP, February 2022)
State CIO Top-10 Priorities
(NASCIO, December 2021)
Under PIPL, demand for DPOs rises while salaries and risks ‘soar’
(IAPP, November 2021)
NASCIO – State Chief Information Officer Surveys
(NASCIO, October 2021)
Comparing the role of the DPO under the GDPR and Turkish law
(IAPP, July 2021)
Web Conference: Talks for DPOs by Dutch DPOs
(IAPP, June 2021)
Study: LGPD likely to require at least 50K DPOs in Brazil alone
(IAPP, October 2020)
The most iconic DPA decisions on DPOs and what you should take from them
(IAPP, August 2020)
Study: An estimated 500K organizations have registered DPOs across Europe
(IAPP, May 2019)
GDPR one year later: Looking backward and forward
(IAPP, May 2019)
5 questions about DPOs
(IAPP, February 2019)
White Paper – The legal risks for the DPO
(IAPP, September 2017)
White Paper – From Here to DPO: Building a Data Protection Officer
(IAPP, January 2017)
PIAs and Data Mapping – Operationalizing GDPR and Privacy by Design
(IAPP, October 2016)
DPO Decision Tree
(DPO Network Europe, October 2016)
View More Resources

DPA Guidance on DPOs

Polish DPA – The DPO Handbook

This handbook from the Polish DPA has been prepared as part of materials aimed at training DPAs in a number of EU member states in the training of data protection officers, especially in the public sector, in their new duties under the General Data Protection Regulation. Click To View (PDF) ... Read More

What is a DPO?

DPO Job Description

Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. This description is intended to be a jumping off point for you to create one that fits the needs of your organization. Read More

5 questions about DPOs

1.) What is a DPO, anyway? What are they even supposed to do? In a nutshell, the data protection officer is a senior adviser with oversight of how your organization handles personal data. Specifically, DPOs should be able to: Inform and advise your organization and staff about their privacy compliance obligations (with respect to the EU General Data Protection Regulation and other data protection laws). Monitor privacy compliance, which includes managing internal data protection activities,... Read More

The DPO role: A quick survey

In my recent Privacy Advisor articles on the essential job skills and the appropriate professions of Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR), I discussed the statutory language of the GDPR and my interpretation of it. I also wanted to understand how others are viewing the DPO role under the GDPR, especially those who are currently in the roles responsible for compliance with this upcoming law. To achieve this, I reached out to a national association o... Read More

Hiring a DPO

Here’s some information to help both organizations and potential DPOs know what to look for, what a DPO contract should include, a sample job description and more. Additionally, we encourage you to view the IAPP Privacy Vendor List to find organizations that offer DPO services.

Sample DPO Service Agreement

Published: July 2018Click To View (PDF) Now that the GDPR is in effect, many organizations need data protection officers. However, not all organizations can or need to staff the DPO role in-house — and the regulation does not require organizations to do so; Article 37(6) allows for the data protection officer role to be filled using a service contract. But what should a DPO service contract look like? The IAPP offers this sample document as a starting point for organizations considering the e... Read More

DPO Job Description

Cobbling together information from the GDPR and Article 29 Working Party guidance, the IAPP has developed this sample DPO job description. This description is intended to be a jumping off point for you to create one that fits the needs of your organization. Read More

DPO Contract Provisions

Published: April 2018 The following are a minimum set of provisions an outsourced DPO contract should have. It must be emphasized that no contract should be drafted without undergoing legal review, especially as it relates to provisions impacted by local laws. There will also be a set of legal provisions common to any contract that is not shown below. Parties: The controller’s or processor’s legal entity is one party, and the DPO firm or individual is the other party. DPO’s services: At a m... Read More

GDPR Appointment of Data Protection Officer Letter

This toolkit from TermsFeed outlines whether organizations need to comply with the EU General Data Protection Regulation, especially regarding the appointment of a data protection officer. They explain the role of the DPO, how to determine whether you need one, and how to put together a compliant Appointment of Data Protection Officer Letter.  Click To View ... Read More

How to ensure you appoint an independent DPO

In light of recent regulator action regarding data protection officer independence, it's an important moment to consider the ethical and practical considerations surrounding the appointment of a DPO. A sporting analogy is helpful here: The essential question to consider is can one player be a coach and a referee? Arguably not. A referee (or DPO) must be in a position to freely advise on the rules of the game, monitor compliance and, ultimately, give a red card without fear of reprisals from own... Read More

DPO Training

eBook – Top 10 operational responses to the GDPR

Published: March 2018Click To View (PDF) In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation. Part 1: Data inventory and mapping Part 2: L... Read More

Why DPOs should understand EU Copyright Law

As previously discussed, DPOs are responsible for other EU data protection laws besides just the General Data Protection Regulation, including at least parts of the ePrivacy Directive. The question is: Should DPOs also be required to have knowledge of other laws? One legal area that might need to be included within DPO knowledge is EU intellectual property law. After all, just like the GDPR protects the rights of data subjects for their personal data, intellectual property law protects the righ... Read More

Binding Corporate Rules

Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. They do so by ensuring that the same high level of protection of personal data is complied with by all members of the organizational group by means of a single set of binding and enforceable rules. BCRs compel organizations to be able to demonstrate their compliance with all... Read More

About the job

Get some insight on the things potential DPOs and the organizations hiring them need to consider here.

Web Conference: How the Role of the CPO and CISO Has Evolved to Meet Privacy Obligations

Original broadcast date: 24 May 2021  An expert panel of CPOs and CISOs across various industries examined how their roles have evolved as global privacy regulatory requirements have increased. They shared how they have structured their security/privacy organization to meet regulatory requirements and the challenges of managing a global privacy program with matrixed teams. Practical examples provided regarding the use of technology (IoT, inventories, DSARs, etc.) to reduce privacy risks and projects that resulted in fantastic success. Finally, these leaders offered their personal perspectives on how their organization has structured the roles of both the CPO and CISO. Read More

FIFA DPO: Working to make the world of football better through privacy

Growing up in Portugal, where football is “absolutely sport number one,” Jorge Oliveira, CIPM, has had a lifelong passion for the game. As he found his professional passion in privacy — growing his career in data protection at companies ranging from engineering to health care — Oliveira stayed connected to football, catching up on matches at the end of the workday. [caption id="attachment_409897" align="alignright" width="262"] FIFA's head of data protection, Jorge Oliveira.[/caption] Oliveira... Read More

The Future State CIO: How the role will drive innovation

This report from NASCIO and Accenture looks at what role the state chief information officer plays as catalyst and convener to drive innovation, how do state IT organizations build the capacity to innovate, and where are the best practices that drive this and how does the state CIO of the future embrace new and emerging technologies to create the best government outcomes, among other questions.  Click To View (PDF) ... Read More

DPOs seek more tools to measure job efficacy, progress

Progress is generally gauged through reflection and evaluation, and a person’s career is a prime example of where progress checkpoints are crucial. Those evaluations, or a lack thereof, are proving to be few and far between for companies and their data privacy officers. According to officers interviewed by The Privacy Advisor, measurements for DPO efficacy are largely non-existent, leaving DPOs to self-assess their work and its effect on their company. "Part of it is that some organizations ju... Read More

Building a Compliant Program

The challenges DPAs, DPOs face to operationalize privacy at scale

Businesses and data protection authorities are both facing challenges from a complex digital and legal ecosystem with a limited set of resources. That notion was clear during a panel presentation during the final day of the 41st Annual International Conference on Data Protection and Privacy Commissioners in Tirana, Albania.  "We need to operationalize privacy at scale," said Microsoft Corporate Vice President, Deputy General Counsel and Chief Privacy Officer Julie Brill. "Ensuring there are ope... Read More

Forget about defining a DPO; define the data protection committee instead

Data protection professionals and organization management officers share a common question: Who should the data protection officer be? Some argue that a legal professional is most suitable for this role; some argue that an operations professional is the natural pick. This article suggests it’s not the background of a DPO but rather whether a data protection committee exists that would prove critical to an organization’s data protection efforts. Why has the talk been about a legal professional? ... Read More

DPO Report Template

This slide deck created by the IAPP research team offers a customizable template for a report to organizational leadership to help Data Protection Officers show the activities of the data protection team as well as record compliance with the General Data Protection Regulation. Read More

How to Build a Privacy Program

This topic page contains a curation of the IAPP's guidance, coverage, analysis and relevant resources covering how to build a privacy program from the ground up. Read More