5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: June 29, 2023
Published: June 22, 2022
While the data protection officer role is required by the EU's General Data Protection Regulation, how to operationalize the role is up for debate.
When the European Union adopted its General Data Protection Regulation (GDPR) in 2018, one of its many requirements included the appointment of a data protection officer inside respective organizations.
Despite the mandate, how to operationalize the role is still up for debate.
According to the GDPR, an entity must hire a data protection officer (or DPO) if its main activities involve processing sensitive data on a large scale or if its operations involve regular, systematic monitoring of individuals.
A DPO’s function is simple: to verify a company’s compliance with the GDPR, but also to facilitate connections among data subjects, regulators, and C-suites. Essentially, a DPO serves as a liaison between data subjects — any person on whom an organization collects data — and the organization’s main supervisory authority. The DPO also monitors a company’s data processing and performs data protection impact assessments.
Bottom line? A data protection officer balances a company’s appetite for data with customers’ privacy rights.
Since GDPR’s inception, some DPOs (or those who assumed the new position) understandably feared being seen as a whistleblower, suddenly calling out any potential data “no-nos” inside an organization.
But Ireland’s data protection commissioner, Helen Dixon, said that's not the case when discussing the relationship between DPO and regulator. The role, in fact, is essential to a company’s primary regulator because it makes resources through the Data Protection Authority (DPA) more scalable: “...the DPO is now the interface with members of the public who want to raise complaints.”
And because a DPO reports to a board of directors — the highest tier of management — their boss (typically a data controller) can’t dictate how a DPO does their job. The GDPR also affords certain protections: The DPO can’t be dismissed as a result of doing their job, even if saying “no” to management means there’s a conflict of interest.
In general, an organization can choose to hire a data protection officer externally or appoint one internally. While pros and cons exist for both decisions, under the law, a DPO is expected to be “independent” in its guidance.
Though the GDPR is prescriptive on what a DPO should or shouldn’t do, how the role functions can vary greatly across organizations.
And some experts, like the U.K.’s former lead negotiator for GDPR, call the DPO role rather challenging in some cases. John Bowman says companies may decide to focus on performing data protection impact assessments — thus spurring an internal culture of data protection and privacy — while others choose to handle everything privacy-related that hits their inbox.
“This means there’s less chance to focus on culture or strategy,” said Bowman. “There’s no one-size-fits-all when it comes to DPO, because … in reality, it has to fit around the organization that’s already there.”
Regardless of how entities choose to structure the role, there’s tension around the mandate that DPOs must act independently. Consider this example:
If Company X employs a DPO to help it stay compliant with GDPR — but the person is also asked to cooperate regularly with data protection authorities — can the DPO act without feeling pressure to bend if Company X (which provides the DPO’s paycheck) wants to implement a process that’s potentially risky to its compliance?
In a 2020 case, the Belgian Data Protection Authority fined an organization for appointing its head of compliance, audit, and risk management as its DPO. The Belgian DPA said the roles were a conflict of interest, thus violating the GDPR.
For this reason, some believe the role should be solely external; a DPO who has no level of loyalty to a company can remain objective. Bowman says it depends on the individual — can they walk that “diplomatic tightrope?”
“[A DPO] wants the business to succeed,” he said. “But I think you have to sell it like: In order to succeed, [the business] needs to be compliant.”
The former DPO of the International Association of Privacy Professionals (IAPP), Rita Heimes, also called the role complicated: There aren’t always clear solutions, nor any real road map on precedence. Still, Heimes found clear benefits when operating as an internal DPO:
“The huge advantage to the inside role is the personal relationships you have with the people who have to implement the decision,” she said.
Still, there were times Heimes wished she'd been able to consult an external DPO — particularly a European one — who thinks about privacy within the EU’s context and the laws comprising its values and norms. She said external DPOs, in general, can ostensibly provide the service to a number of organizations; they’re able to pose a bird’s-eye view when internal DPOs can’t.
“They see what all of their clients do to solve problems. So, just like outside counsel, they have a view across multiple clients,” she said. “And that, in itself, is sort of a data set.”
As organizations continue navigating structuring the role, Bowman says what will take the most time is a change in organizational mindset. He compared the maturation of the DPO role to modern health and safety requirements: When he started work, everyone smoked cigarettes in the office. Now, the thought seems incredulous, and people realize a safe work environment is a necessity. But that mental shift took decades.
“I think the job is still evolving, really, and I’m not sure if a consensus has been arrived at as far as what the DPO role is,” he said. “I think it’s a cultural shift, and that cultural shift is not mature yet. It’s got a number of years to go.”
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.