← Glossary·Governance

Data Protection Officer (DPO)

GDPR

Independent role mandated by GDPR Art. 37 for public authorities and certain large-scale processors.

A Data Protection Officer is required under GDPR Art. 37 when (a) processing is by a public authority, (b) core activities involve large-scale systematic monitoring, or (c) core activities involve large-scale processing of special-category or criminal data. The DPO must be independent and reportable to the highest management level.

Why it matters
Designating a DPO who is also CISO or General Counsel often creates a conflict-of-interest finding. Many small-mid companies appoint an outsourced fractional DPO.

Related terms

GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.
Data Controller
The entity that determines the purposes and means of personal data processing (GDPR Art. 4(7)).

Does your program actually cover Data Protection Officer (DPO)?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary