Is a DPO mandatory for my SME?

Probably not. A DPO is only mandatory if your core activity consists of large-scale processing of special categories of personal data, or of systematic and large-scale monitoring of individuals. Most SMEs don't fall under this.

What does an external DPO cost?

An external DPO typically costs between 500 and 2,000 euros per month, depending on the scale and complexity of your processing. For most SMEs this is not necessary and an internal GDPR contact point suffices.

Can I be the DPO of my own company?

As a managing director, you cannot be your own DPO because the DPO must independently oversee the processing activities. A DPO may not receive instructions on how to carry out their role, and that's difficult when you're also the boss.

What if I don't need a DPO but still want to arrange something?

Designate someone internally as GDPR contact point. This person doesn't need to be a specialist, but should know where your records of processing activities are, how data subject requests are handled, and what to do in case of a data breach.

DPO Data Protection Officer - Do You Need One?

A DPO (Data Protection Officer) is a mandatory role under the GDPR, but not for everyone. This article explains when you do and don't need one, and what SMEs should arrange in practice.

What is a DPO?

A DPO (Data Protection Officer) is someone within an organisation who oversees compliance with the GDPR. The DPO is the contact point for the supervisory authority and for the individuals whose data you process. It is a formal role established in GDPR Articles 37 to 39.

Important: the DPO is not responsible for GDPR compliance. That responsibility lies with the organisation itself. The DPO advises, monitors, and flags issues, but is not personally liable if something goes wrong.

When is a DPO mandatory?

The GDPR requires a DPO in three situations:

1. Government bodies and public organisations Every public authority that processes personal data must appoint a DPO. No exceptions.

2. Large-scale, systematic monitoring of individuals This applies when your core activity consists of systematic and large-scale observation of individuals. Think of:

CCTV surveillance companies that provide monitoring for multiple clients
Companies that track online behaviour on a large scale for advertising purposes
Security companies that systematically monitor individuals

3. Large-scale processing of special categories of data Special categories include health data, biometric data, data on race or ethnicity, political opinions, religious beliefs, and criminal records. Examples:

Hospitals and healthcare institutions
Laboratories performing genetic tests
Insurers processing health data on a large scale

When do you NOT need a DPO?

Most SMEs fall outside the three categories above. A few examples:

A construction company with 25 employees processes employee and customer data, but that’s not the core activity and it’s not large-scale. No DPO needed.
An online shop with 10,000 customers processes names, addresses, and order history. These are ordinary personal data, not special categories, and the core activity is sales, not data processing. No DPO needed.
An accounting firm with 5 employees processes financial data of clients. Although sensitive, this is not a “special category” in the GDPR sense. No DPO needed.
A small marketing agency that manages campaigns for clients. Unless you profile on a large scale, no DPO needed.

The key terms are “core activity” and “large scale”. If you process personal data in support of your actual business activity (and nearly every business does), that’s not your core activity.

What does a DPO actually do?

If you do need a DPO (or voluntarily appoint one), these are the tasks:

Inform and advise the organisation and employees on GDPR obligations
Monitor GDPR compliance, including assigning responsibilities, awareness, and training
Advise on DPIAs (Data Protection Impact Assessments)
Act as contact point for the supervisory authority
Act as contact point for data subjects with questions or complaints about their data

A DPO can be internal (an employee) or external (a hired specialist). In both cases:

The DPO must be able to work independently and may not receive instructions on how to perform their role
The DPO may not have a conflict of interest - the CEO, HR manager, or IT manager cannot also be the DPO
The DPO must receive sufficient resources and access to carry out their work

No DPO needed? Here’s what you SHOULD arrange

Not needing a formal DPO doesn’t mean you have nothing to do. Your organisation must:

Designate a GDPR contact point - someone internally who knows how GDPR documentation is organised and can handle data subject requests
Maintain records of processing activities - this is mandatory for virtually every organisation
Publish a privacy policy - so customers and employees know how you process their data
Have a data breach procedure - so you can respond within 72 hours
Conclude data processing agreements - with every party that processes data on your behalf

The difference is that you don’t need a formally appointed, independent officer. But someone has to do the work.

Practical: how to arrange this?

If you DO need a DPO:

Internal: appoint an employee with privacy law knowledge. Ensure they have sufficient time and budget
External: hire a DPO-as-a-service. Costs range from 500 to 2,000 euros per month
Register the DPO with the supervisory authority

If you DON’T need a DPO:

Designate someone internally as GDPR contact person
Ensure this person has basic GDPR knowledge
Document who it is and what their responsibilities are
Use a tool like GDPRWise to maintain records of processing activities and documentation

auto_awesome Automate your GDPR file?

GDPRWise helps you set up and maintain your records of processing activities, privacy policy, and GDPR documentation - without needing a DPO.

Start your free scan

DPO: What Is a Data Protection Officer and Do You Need One?