What does a Data Protection Officer do in practice?

View as Markdown
2 mins read • Legal Writer • GDPR • 21 July 2025
  1. Outsourced data protection officer – when is it the right choice?
  2. How to avoid conflicts of interest in the role

The primary task of a Data Protection Officer (DPO) is to monitor compliance with the General Data Protection Regulation (GDPR) within an organisation. This includes providing advice, following up on internal procedures and acting as a point of contact with the Data Protection Agency.

In practice, the role often involves supporting the business with data protection impact assessments, ensuring that legal bases are applied correctly and fostering a culture of data protection awareness. The DPO does not make decisions that affect processing – indeed, the DPO must not hold such responsibility, as this would create a conflict of interest with the DPO’s independent oversight role.

Outsourced data protection officer – when is it the right choice?

For many organisations, appointing an outsourced data protection officer is both cost-effective and reliable. This is particularly the case for smaller companies or where data protection is one component of a broader compliance function. An external DPO can also contribute up-to-date expertise and independence.

  • Objective separation of duties: No links to decision-making on personal data.
  • Specialist expertise: Access to accumulated GDPR experience.
  • Resource efficiency: The role can be provided by an external consultant, allowing the scope to be tailored to the organisation’s needs.

Engaging an outsourced data protection officer requires a formalised mandate. Under Article 37 GDPR, both organisational placement and communications with the Data Protection Agency must be assured. It is also essential to make clear that the role must not be influenced by conflicts of interest. Where appropriate, organisations may consider DPO as a service to structure the DPO designation and DPO contract.

How to avoid conflicts of interest in the role

A common mistake is for the DPO simultaneously to hold a role involving operational decisions about personal data processing. This contravenes Article 38(6) GDPR, which requires the DPO to act independently and not be instructed in the performance of their tasks.

To avoid conflicts of interest, the company should analyse job descriptions and the allocation of responsibilities. If the DPO is employed internally, their organisational placement must be reviewed. Anyone who decides the purposes and means of processing, or who holds managerial positions, should not be appointed as DPO.

At Morling Consulting, we offer solutions where independence is always guaranteed. Our GDPR lawyers take on DPO assignments on an interim basis or on an ongoing basis, including as an outsourced data protection officer (outsourced DPO) through structured DPO advisory and DPO consulting.

Illustration of third-country risk under AMLR showing a simplified EU map, control icons, and a geographic trigger point linking the EU to third countries for enhanced customer due diligence (KYC).

10 March 2026

Third-country risks under AMLR: Articles 29–31 and their significance for customer due diligence
Read more
Illustration of an AMLR KYC process in four steps: ID verification, beneficial ownership check, business purpose assessment, and anomaly flag in registry screening.

3 March 2026

Customer due diligence under AMLR: identity, beneficial ownership and the purpose of the relationship
Read more
Illustration of a KYC block due to insufficient customer due diligence under AMLR, showing a customer profile, checklist, and stop symbol in a legal compliance setting.

24 February 2026

Inability to meet customer due diligence requirements under the AMLR
Read more