How to choose a data protection officer

One of the changes that the GDPR will bring is a brand new Data Protection Officer. Does your business need one? Will he or she be accountable? And what to look out for when drafting an employment contract? Today's article will answer that question.


Businesses have only about a quarter of a year to prepare for the European Union's new data protection regulation. One of those preparations is to appoint a data protection officer. This will be tasked with overseeing the proper handling of personal data and reporting any irregularities and potential data leaks.

The officer, often referred to by the acronym DPO from the English Data Protection Officer, is supposed to be a kind of expert on GDPR. Most likely, if you own a business, you will therefore need to find such an expert. The following lines will outline how to do that.

Do I even need a DPO?
First of all, ask yourself if the appointment of a DPO applies to you at all. Finding the answer will help you determine whether you fall into any of the following three categories that will have this obligation:

  • public bodies: municipal and town councils, schools, libraries or hospitals,
  • entities that regularly and systematically handle personal data: companies providing security or monitoring services, health insurance companies, digital marketing agencies or companies that produce various mobile applications,
  • entities that process sensitive personal data: multinational corporations, transport companies, banks, telecommunications service providers.

Will the DPO be responsible?
Companies either appoint someone from their own ranks as the DPO or seek among outsiders. However, this position is completely new to the job market, so candidates cannot claim experience.

It follows that caution will be in order if you are selecting from external candidates. In recent times, many would-be experts, trainers and legal advisers have appeared on the market. And since you are the one responsible for the proper implementation of the GDPR, it is imperative that you make the right choice.

How to do it? It will help if you look for the following experience and areas in candidates:

  • experience in data protection, privacy law,
  • audit, data management,
  • membership in unions,
  • international experience,
  • education in technology and law,
  • experience in education,

What should the contract look like?
Once you've chosen the right person for the DPO role, you have another daunting task ahead of you: drafting an employment contract. Here too, you will need to pay attention to the specifics of the DPO's tasks.

For the DPO, the important points will be those that define his legal liability, while for you as a company it will be crucial to define in the contract what to do, for example, if the fiduciary fails to perform his tasks, causes damage, gets into a conflict of interest or if he gives incorrect advice.

Also be sure to define in the contract how and where the materials the DPO will handle as part of his or her agenda will be stored.

If something we haven't mentioned here surprises you in choosing the right DPO and you don't know what to do with it, don't hesitate to contact us. We will be happy to advise you.