Outsourced DPO: what the regulation actually requires and how to organise it without hiring

Since the GDPR entered into force in 2018, the obligation to designate a Data Protection Officer (DPO) has frequently been misunderstood - poorly applied, underestimated, or alternatively treated as an administrative formality delegated to whoever is available. None of these approaches genuinely protects the organisation.

This article clarifies what the regulation actually requires, who is concerned, and why the outsourced DPO model is often the most effective and defensible answer.

What the GDPR actually requires

Article 37 of the GDPR makes DPO designation mandatory in three cases: public authorities and bodies, organisations whose core activities involve large-scale processing of personal data, and organisations whose core activities involve regular and systematic monitoring of individuals. Outside these cases, designation remains optional - but strongly recommended whenever personal data processing is significant.

What the text also specifies, and what many organisations overlook: the DPO must have professional qualifications and expert knowledge of data protection law and practice. They must be independent - meaning they cannot simultaneously hold a position that places them in conflict of interest with their DPO duties. And they must have access to the resources necessary to carry out their tasks.

Why assigning the role to whoever is available is not enough

Designating an internal DPO who combines this role with other responsibilities - IT director, HR manager, generalist lawyer - creates structural problems. The most obvious is conflict of interest: an IT manager who must validate their own technical choices against GDPR requirements is not independent. An in-house lawyer who reports hierarchically to the CEO is not either.

The second problem is competence. The GDPR is not a static text. It is interpreted in light of the evolving jurisprudence of European supervisory authorities, decisions of the CJEU such as Schrems II which redrawn the conditions for data transfers outside the EU, and now the articulation with the AI Act for systems processing personal data. Maintaining competence at this level alongside other responsibilities is rarely realistic.

What the outsourced DPO model provides

The GDPR explicitly authorises the designation of an external DPO - a person or organisation outside the company. This is an option used by organisations of all sizes, including large groups for their subsidiaries.

An outsourced DPO brings the structural independence the text requires, expertise maintained current with regulatory developments, and the ability to intervene transversally - on data processing agreements, impact assessments (DPIAs), security incidents, data subject requests - without being constrained by internal hierarchical pressures.

For an organisation processing personal data significantly without the workload to justify a full-time DPO, this is the model that offers the best balance between genuine protection and cost.

My experience on this subject

I have served as DPO in very different environments - a healthtech processing medical data at scale, a multi-country e-commerce business with complex cross-border data flows, a B2B SaaS scale-up in active structuring. In each of these contexts, the question was not just about ticking regulatory boxes - it was about building data governance that holds over time, withstands an audit, and does not slow down the business.

This is the experience I bring to my practice as a fractional DPO: not compliance as a facade, but an operational approach integrated into the reality of the organisation.

Want to assess your GDPR situation or discuss an outsourced DPO engagement?