What is a Privacy Officer and do you need one?
A plain-language guide to the Data Protection Officer (DPO) under GDPR Art. 37, when appointment is mandatory, and how the role works in practice.
A Data Protection Officer (DPO) is mandatory under GDPR Art. 37 for certain organisations. But even if a DPO is not legally required, appointing someone responsible for privacy compliance is strongly recommended for any business that handles personal data.
Privacy Officer vs Data Protection Officer — what's the difference?
The terms “Privacy Officer”, “Data Protection Officer”, and “Chief Privacy Officer” are often used interchangeably — but they are not the same thing. Understanding the distinctions matters, particularly for compliance purposes under GDPR.
Data Protection Officer (DPO)
Statutory roleA formal, legally mandated role under GDPR Art. 37 (and equivalent provisions in UK GDPR, Quebec Law 25, LGPD, and India DPDP). Has specific statutory functions, independence requirements, and cannot be dismissed or penalised for performing their duties. The DPO must have expert knowledge of data protection law and practice.
Art. 37–39 GDPRChief Privacy Officer (CPO) / Privacy Officer
Non-statutory best practiceA broader, non-statutory role adopted as best practice by many organisations, particularly in the US. The role varies widely — from a senior compliance lead to a C-suite executive overseeing privacy strategy, product, and policy. Not defined by GDPR but widely used in practice across all industries.
Privacy Lead / Privacy Champion
Informal roleAn informal role used in small businesses and startups to designate someone responsible for day-to-day privacy compliance without a formal title. Typically a junior-to-mid-level employee with privacy duties alongside a primary role. Not a legal designation under any law but a practical approach to maintaining basic compliance.
When is a DPO mandatory under GDPR?
Under Art. 37(1) GDPR, appointment of a DPO is mandatory when any of the following three conditions is met:
- 1Public authority or bodyThe controller or processor is a public authority or body (except for courts acting in their judicial capacity). This applies regardless of the nature or volume of processing.
- 2Large-scale regular and systematic monitoringThe core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale — for example, behavioural advertising networks, location tracking services, credit scoring agencies, or loyalty programme operators.
- 3Large-scale special category or criminal offence dataThe core activities consist of large-scale processing of special categories of data under Art. 9 GDPR (e.g. health data, biometric data, racial or ethnic origin) or data relating to criminal convictions and offences under Art. 10 GDPR.
Art. 37(1) GDPREDPB Guidelines 09/2016DPO requirements under other privacy laws
Mandatory DPO or privacy officer designation across major global privacy frameworks.
| Law | Jurisdiction | DPO/Privacy Officer Required? | Who must appoint | Citation |
|---|---|---|---|---|
| GDPR | EU/EEA | Mandatory | Public authorities; large-scale regular/systematic monitoring; large-scale special category data processing | Art. 37(1) GDPR |
| UK GDPR | United Kingdom | Mandatory | Same as EU GDPR | Art. 37(1) UK GDPR |
| PIPEDA | Canada (federal) | No (designate accountable individual) | All organisations subject to PIPEDA must designate an individual accountable for compliance | PIPEDA Schedule 1, Principle 1 |
| Quebec Law 25 | Quebec, Canada | Mandatory | Must be the highest-ranking employee or a designated person | Quebec Law 25, s.3.1 |
| LGPD | Brazil | Mandatory | All controllers (no threshold) | LGPD Art. 41 |
| India DPDP | India | No formal requirement | No formal DPO requirement in the 2023 Act (rules pending) | DPDP Act 2023 |
| Australia Privacy Act | Australia | No formal requirement | Privacy Policy must name a contact for complaints; no mandatory DPO | APP 1.3 |
Art. 37(1) GDPRPIPEDA Schedule 1, Principle 1Quebec Law 25, s.3.1DPDP Act 2023APP 1.3What does a DPO/Privacy Officer actually do?
The statutory tasks of a DPO under Art. 39 GDPR, and how they translate into day-to-day practice.
Privacy compliance oversight
Monitoring and advising on compliance with GDPR and applicable laws, maintaining the Records of Processing Activities (ROPA), and advising the organisation on all data protection obligations.
Data subject rights management
Handling access requests, erasure requests, and objections — ensuring they are responded to within statutory deadlines (e.g. one month under Art. 12 GDPR).
Data Protection Impact Assessments
Advising on and reviewing DPIAs for high-risk processing activities, as required under Art. 35 GDPR, and consulting with the supervisory authority where necessary.
Breach response
Leading the organisation's response to personal data breaches, assessing notifiability under the applicable law, and managing regulator notification within statutory deadlines.
Training and awareness
Training staff on data protection obligations, building a culture of privacy compliance, and ensuring ongoing awareness of data protection risks across the organisation.
Regulatory liaison
Acting as the primary point of contact for the supervisory authority on all processing-related matters, as required by Art. 39(1)(e) GDPR.
Do small businesses need a Privacy Officer?
Even if a DPO is not legally required, appointing someone responsible for privacy compliance is best practice for any business that:
- Handles customer personal data (e-commerce, SaaS, or services)
- Uses email marketing, analytics, or advertising platforms
- Employs staff (employment data is personal data)
- Is subject to GDPR, UK GDPR, CCPA, or any other privacy law
Art. 37(6) GDPRFrequently asked questions
Do I need a DPO if I am a small business?
Most small businesses are not required to appoint a DPO under GDPR Art. 37. The mandatory DPO obligation applies to public authorities, organisations whose core activities involve large-scale regular and systematic monitoring, and organisations processing large-scale special category data. However, appointing someone responsible for privacy — even informally — is strongly recommended for any business that handles personal data.
Can a DPO be an existing employee?
Yes. Art. 37(6) GDPR allows the DPO to be an existing staff member, provided there is no conflict of interest. A DPO cannot be the CEO, CFO, Head of IT, or Head of Marketing — roles whose interests may conflict with data protection. They must have sufficient independence and report directly to the highest management level (Art. 38(3) GDPR).
Can I outsource the DPO role?
Yes. Art. 37(6) GDPR permits organisations to appoint an external DPO via a service contract. This is common for small businesses and startups. The external DPO must be accessible, available to data subjects and regulators, and have no conflict of interest.
What qualifications does a DPO need?
Art. 37(5) GDPR requires the DPO to have expert knowledge of data protection law and practice. No specific formal qualification is mandated, but recognised certifications include the IAPP CIPP/E (Certified Information Privacy Professional/Europe), CIPM (Certified Information Privacy Manager), and CDPSE (Certified Data Privacy Solutions Engineer).
Is a Privacy Officer the same as a DPO?
Not legally. A DPO is a specific statutory role defined by GDPR Art. 37 with mandatory functions and independence requirements. A Privacy Officer or Chief Privacy Officer (CPO) is a broader, non-statutory role used in many organisations — particularly US companies. The functions may overlap substantially, but only a formally designated DPO meets the GDPR Art. 37 requirement.
Related privacy law guides
Find out which privacy laws apply to your business
Answer 13 questions and get a personalised privacy law checklist with statutory citations — including whether a DPO is required for your organisation.
Start free assessment →