Five myths about the data protection officer

By Steven Kant

The Data Protection Officer (DPO), formerly referred to as the Functionaris Gegevensbescherming (FG), is surrounded by many misconceptions. To clarify matters, we have compiled a top five list of common myths that we will debunk right away.


1. A DPO is detrimental to the core business.

A DPO doesn't simply say 'no' to everything. They collaborate with the organization to showcase viable options. The GDPR actually offers more possibilities than commonly assumed. Consequently, a DPO can contribute to more efficient service delivery. The core business won't suffer damage; in fact, it stands to benefit!

2. A DPO is a lawyer.

Whether only a lawyer can be a proficient DPO is debatable. Legal training isn't mandatory to understand and effectively apply the GDPR. What matters more is the DPO's ability to translate regulations into practicality. Ultimately, organizations gain more from someone who can apply than someone who merely knows. Frank wrote a blog about the DPO as a practitioner.

3. A DPO is a full-time job.

A DPO doesn't need to be employed full-time. Most (small) organizations lack the staff, budget, or workload to require a DPO's full-time commitment. In such cases, the role can be fulfilled part-time. This approach lowers the threshold to appoint a DPO and allows for tailor-made solutions.

4. A DPO must be an internal part of the organization.

A DPO doesn't have to be a permanent part of the organization. An external (part-time) DPO offers significant advantages. They can invigorate the privacy program or enhance the daily execution of privacy tasks. Additionally, an external DPO can bring valuable insights from other clients and leverage their network.

5. A DPO is mandatory for organizations with 250 employees or more.

If we were to believe this myth, a hospital with 249 employees wouldn't require a DPO, but a restaurant chain with 250 employees would. This is obviously peculiar. The number of employees isn't the determining factor; the sensitivity of the data is. A DPO is mandatory for public authorities and organizations that process sensitive personal data on a large scale or engage in monitoring individuals.

If you'd like to learn more, know of other DPO myths, or simply want to discuss the role of a DPO in your organization, feel free to get in touch with us.


More information?

Contact Steven Kant.

Related insights