Back to blogCompliance

DPO: should you appoint a data protection officer?

NRNicolas Renard·July 23, 2026· 6 min read

The Data Protection Officer, or DPO, is responsible for ensuring GDPR compliance within an organization. Appointing one is mandatory in specific cases set out by the regulation, and recommended in many other situations, even without a strict legal obligation. The CNIL keeps a public register of appointed DPOs, which every organization subject to the obligation must notify.

When is appointing a DPO mandatory?

  • The organization is a public authority or body.
  • The organization's core activity involves the regular and systematic large scale monitoring of individuals.
  • The organization's core activity involves large scale processing of sensitive data (health, racial origin, political opinions...) or data relating to criminal convictions.

The DPO's role

MissionDescription
AdviceInforming and advising the organization on its GDPR obligations
OversightChecking compliance with the regulation and internal policies
Point of contactActing as the contact point for the data protection authority and data subjects
Impact assessmentAdvising on the completion of data protection impact assessments (DPIA)

Internal or external DPO?

An SME can appoint an internal employee, provided they have the necessary skills and are not in a conflict of interest: a DPO cannot, for example, also be the IT manager who alone decides on processing activities, which in practice rules out this option in many small organizations where IT and compliance sit with the same person. Using a shared external DPO solves that problem, but comes with a recurring cost that needs to be weighed against the actual volume of high risk processing: for a company with simple processing activities, that expense can be disproportionate to the real risk.

What if appointing one is not mandatory?

Even without a legal obligation, appointing an internal GDPR contact person, trained in the basics of the regulation, helps structure compliance and avoids the topic being handled by no one. This is often a first step before, where relevant, appointing a full DPO.

GDPR Diagnostic·See a diagnostic preview

Establishing whether the organization genuinely falls under a mandatory appointment case avoids two opposite pitfalls: going without a DPO when the regulation requires one, or appointing one out of excessive caution when a simple internal contact person would largely suffice.

Ready to assess your organization?

Try for free