DAT-018 Data Protection Officer
Description
A Data Protection Officer (DPO) is designated where required by GDPR (mandatory where processing is large-scale or involves special categories or systematic monitoring). The DPO is independent, has access to the highest management level, is not instructed on exercise of their tasks, and is a named point of contact for data subjects and supervisory authorities.
Rationale
The DPO is the organisational accountability anchor for GDPR compliance. Failure to designate or adequately resource the DPO is a directly enforceable obligation, not a recommendation.
Framework Mappings (5)
| GDPR-Art.37 | Designation of Data Protection Officer | full |
| GDPR-Art.38 | Data Protection Officer — Position and Independence | full |
| GDPR-Art.39 | Data Protection Officer — Tasks | full |
| PM-19 | Privacy Program Leadership Role | partial |
| P8.1 | Privacy Compliance | informative |
Evidence (2)
DPO designation record and GDPR Art.37 registration confirming the DPO's appointment, independence, and notification to the supervisory authority.
Example: DPO appointment letter (signed by CEO or board), DPO contact details published on the company website privacy page, and DPO registration confirmation from the relevant supervisory authority (e.g. ICO registration certificate or DPA notification acknowledgement)
Test: Request the DPO appointment record and supervisory authority registration. Verify: (1) a named DPO is formally appointed in writing, (2) DPO contact details are published on the company website (GDPR Art.37.7), (3) DPO has been notified to the supervisory authority where required, (4) appointment records confirm the DPO is not in a position that creates a conflict of interest (e.g. not holding a decision-making role on processing purposes).
DPO role description and independence charter confirming the DPO's mandate, access to senior management, and freedom from instruction.
Example: DPO Job Description or DPO Charter (HR system / Confluence) — confirming: reporting line to board level, prohibition on instructions regarding tasks, defined resource allocation, and DPO access to all processing-related information
Test: Request the DPO role description or charter. Verify: (1) DPO reports to the highest management level (board or equivalent), (2) the document explicitly states the DPO cannot be instructed on the exercise of their tasks, (3) the DPO has documented access to all personal data processing activities, (4) resources (time, budget, tools) are allocated.
Questions (2)
Has your organisation designated a Data Protection Officer (DPO) where required by GDPR, with the DPO contact details published and notified to the relevant supervisory authority?
A DPO is mandatory where processing is large-scale, involves special categories, or involves systematic monitoring of individuals. The DPO must be independent, report to the highest management level, and cannot be instructed on the exercise of their tasks.
How is the DPO role structured within your organisation?
The DPO must not hold a role that creates a conflict of interest (e.g. CISO, legal counsel for processing decisions, or head of marketing). An external DPO is permitted under GDPR provided independence and access requirements are met.