Data Protection Officer Responsibilities


Article 39 of the GDPR describes the tasks that the data protection officer (DPO) should undertake. These fall into the following broad areas:

  • Advising on the GDPR and other data protection laws
  • Monitoring compliance with GDPR
  • Advising and monitoring data protection impact assessments
  • Being the contact point for the supervisory authority


Article 39 also requires the DPO to consider their role in a wider context:

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

In order to fulfil the required tasks the DPO will necessarily need to engage with the controller, processor, employees, stakeholders, supervisory authorities, customers, users and the public in forming a view of the scope and context of processing.

How to:

Responsibilities will need to be broken down into supporting tasks and procedures and policies created in support of these:

  • Proactively inform the controller and processor on issues and considerations relating to the GDPR
  • Inform stakeholders of their obligations under the GDPR
  • Raise awareness of the implications of the GDPR
  • Training of staff
  • Review and update data protection policies
  • Assignment of data protection responsibilities across the organisation
  • Audit of data processing activities
  • Management of data protection risks
Data Protection Impact Assessment:
  • Advise on the content, nature, scope and timing
  • Monitor the performance of the DPIA
Supervisory authority:
  • Ensure the DPO contact details are made available to both the public and the supervisory authority
  • Act as the contact point for data protection and other issues

Common Scenarios:

Data processing audit
  • The DPO should be involved at the outset in defining the scope of data protection activities to be audited. They need to be part of any regular reviews and participate in reviews of audit outputs and findings. They will then be instrumental in helping to implement any outputs.
Promotion of GDPR within the organisation
  • With the support of the organisation, the DPO should create a plan which includes communications both internally and externally. Internally they will seek to advise stakeholders on what the implications of GDPR. Externally they will promote the activities undertaken to ensure GDPR compliance. A key aspect of this will be to conduct user training and to ensure training is also included in induction and ongoing activities.


  • GDPR Recitals: 97
  • GDPR Articles: 38, 39

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts