GDPR countdown 10 - when it comes to your DPO, don’t hire, rent

David Reed, knowledge and strategy director, DataIQ

In the rush to become compliant ahead of Friday’s deadline for GDPR enforcement, organisations are struggling to identify and deploy all of the resources which the wide-ranging new law requires. While technology fixes and process changes tend to be long-term projects that will need to have been started some time ago, there is one area in which many companies appear to be simply throwing whatever human resource they have to hand into the frontline - the appointment of a data protection officer (DPO).

“Nothing says, ‘we’ve got this’, quite like have a DPO.”

The need for a DPO is not mandatory, but for most organisations with any scale of data processing at their heart, it is likely to be desirable as previously discussed. It is a point firmly made by Peter Galdies, director of DQM GRC: “Individuals are going to be looking for the evidence that companies asking them to share their personal data are taking active measures to manage and protect it, as well as to enable their GDPR rights. Nothing says, ‘we’ve got this’, quite like have a DPO.”

But in making the right effort, some firms could be creating the wrong outcome due to who they have decided to appoint. As a data protection lawyer warned just this week, a junior staff member with “non-existent expertise” will not even count as a tick in the box of compliance.

This is because of the specific requirement in GDPR that a DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks.” While that could mean a relatively junior staff member in possession of a law degree, assuming they are giving additional relevant training and support, there is another requirement which is likely to mean this type of appointment just won’t cut it.

An individual at a low level within the organisation is unlikely to be able to operate independently.

GDPR spells out in some detail how a DPO should be set up and resourced, adding that they “should be in a position to perform their duties and tasks in an independent manner.” An individual at a low level within the organisation is unlikely to be able to operate in this manner or not to be sacked if they do. That means many of the candidates being considered, which typically include digital marketers who have been designated as the data protection officer up to now as far as dealing with email unsubscribes are concerned, can not be considered.

So what is the answer? Galdies says companies should consider doing what they already do with other tasks that require significant professional skills - outsource to a third-party. “As has been made clear in guidance on DPOs issued by the Article 29 Working Party, the function of the DPO can also be exercised on the basis of a service contract concluded with an individual or an organisation outside the controller’s or processor’s organisation.”

Taking advantage of DPO-as-a-service looks like a smart call.

Given the paucity of skilled practitioners on the market, taking advantage of DPO-as-a-service looks like a smart call. DQM GRC recognised early into the journey for organisations towards GDPR compliance that this could be one of the stumbling blocks and set up just such a contracted service. Based on deep knowledge of data protection, built over decades of working with major data controllers to govern and protect their data assets, and resourced for scale, the company is ready and able to become the designated DPO for any business that finds itself subject to the requirement to have one, but unable or unwilling to make a permanent hire.

“Unlike many others right now, we really have got this,” says Galdies. “We can deploy DPO-as-a-service as a turnkey operation and give organisations - and more importantly their customers - the reassurance that there really is a knowledgable, skilled and accessible person responsible for handling this aspect of GDPR for you. Don’t call on junior - call on us!”

GDPR countdown 1 - changing the balance of favour

GDPR countdown 2 - a river that runs deep, so make sure your compliance isn’t shallow

GDPR countdown 3 - this time it doesn't have to be personal

GDPR countdown 4 - why training staff, not deploying IT should be your next best action

GDPR countdown 5 - why the data role you need is a protection officer, not a scientist

GDPR countdown 6 - six degrees of separation from the truth about consent

GDPR countdown 7 - straight-talking about consent

GDPR coiuntdown 8 - will GDPR and EPR eat ad-tech's lunch?

GDPR countdown 9 - "let me not to the marriage of true minds admit impediment"


This article is the tenth and final in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit

Knowledge and strategy director, DataIQ
David is developing the framework for soft skills and career development among data and analytics practitioners. He continues to be editor-in-chief and research director for DataIQ.