Why is it necessary to have a DPO?

So, when is it actually mandatory to appoint one?

Appointing a DPO is mandatory, according to the General Data Protection Regulation (GDPR), in the following cases:

• When large-scale processing involving systematic monitoring of individuals is carried out (e.g., platforms that track browsing habits or behavior).
• If, on a large scale and as a core activity, special categories of data (such as health, biometrics, religious beliefs, etc.) or data relating to criminal convictions and offenses are processed.
• For all public authorities or bodies (except for courts acting in their judicial capacity).

In addition, Spanish legislation, the Organic Law on Data Protection (LOPDGDD), establishes a list of additional cases where companies are required to appoint a DPO. You can consult this list here.

What happens if you’re required to appoint a DPO but don’t?

Failing to appoint a DPO when required can result in significant financial penalties. The AEPD has imposed hefty fines (up to 10 million euros or 2% of the company’s total annual global turnover, whichever is higher) for non-compliance with this obligation.

Moreover, lacking this role can lead to increased exposure to security breaches, user complaints, and reputational damage.

Can I appoint a DPO even if I’m not required to? Is it advisable?

Absolutely.

Even when it’s not mandatory, having a DPO (internal or external) provides security to the company and increases trust among data subjects. This figure acts as a guarantee to clients, employees, and partners that personal data is being managed responsibly.

Moreover, with the rise of technologies like AI, privacy is increasingly in the spotlight. Having a DPO to guide the company is key to anticipating these challenges.

DPO Responsibilities

Key responsibilities of the DPO include:

• Informing, advising, and monitoring compliance with data protection laws.
• Conducting awareness and training activities for staff involved in processing operations.
• Carrying out audits.
• Cooperating with and acting as a point of contact for the supervisory authority and data subjects.
• Identifying risks in complex or high-impact processing operations.
• Coordinating responses to incidents or security breaches.
• Advising the organization on impact assessments.

What profile should a good DPO have?

An effective DPO should meet the following criteria:

• Legal expertise: In-depth knowledge of the GDPR and LOPDGDD is essential.
• Independence: They must operate autonomously, without receiving instructions or being hierarchically subordinate to those making decisions about data processing.
• Communication skills: They must be able to translate legal requirements to various departments (marketing, IT, HR…)
• Preventive and risk-oriented approach: Able to prioritize actions where the greatest impact lies.

Internal or external?

Regulations allow the DPO to be an internal employee or an external professional. The best option depends on the company’s size, complexity of data processing, and available resources.

Having an external DPO can be more efficient and ensure a higher level of specialization, especially for SMEs or startups without an in-house legal team.

Both options can be valid depending on your organization’s structure and needs. The important thing is to ensure they have the right training, autonomy, and resources to perform their role effectively.

Conclusion

The DPO is not just a regulatory requirement—it is a strategic ally for any organization that handles personal data. Having a DPO helps minimize risks, prevent penalties, and build trust.

If your company processes personal data, handles large volumes of information, or simply wants to do things right, now is the time to have this key figure in place. At Metricson, we specialize in data protection. If you’d like to learn more about our ongoing support services for internal DPOs or our external DPO service, don’t hesitate to contact us.