DPO Outsourcing and the GDPR

Protecting data, be it personal, sensitive, or even public, is extremely important, and having a competent Data Protection Officer will ensure successful implementation of all the regulations and proper compliance with the GDPR (General Data Protection Regulation) that is coming into force on May 25th 2018.

The DPO is responsible for overseeing the proper use of information technology and supplying staff with information and providing training. The DPO is an independent role, thus is not obliged to adhere to instructions issued by other members of staff in performing DPO role-related tasks.


Article 37 of the GDPR stipulates that a controller or a processor must appoint a DPO if:

  • You are a Public Authority processing data, or
  • You are a controller or a processor whose principal activities involve large-scale, regular, and systematic data processing, or
  • You are a controller or a processor whose principal activities involve large-scale processing of sensitive data (under Article 9) or data relating to criminal convictions/offenses (under Article 10)


In today’s competitive market, it may be hard to find a suitable DPO, or it may be more feasible to look for an outsourcing alternative. It would be wise to consider appointing an external Data Protection Officer for reasons of cost, training, skillset, qualifications, and assumed liability.

In general, outsourcing the role of the DPO will cost less and your organization will benefit from a team-held knowledge base and experience that is wider and deeper than that of any single person who may be suited for the role in your organization.