What does a Data Protection Officer (DPO) do?

As Data Protection Officers (DPOs) we advise on data protection law, monitor GDPR compliance, support risk assessments and act as a contact point for both supervisory authorities and data subjects on your behalf.

When should a company appoint a Data Protection Officer?

Under the GDPR certain organisations must appoint a Data Protection Officer, for example when processing is large-scale, sensitive or involves systematic monitoring, and we help you assess whether the obligation applies and choose an internal or external DPO solution that fits your risk profile.

How can Morling Consulting support our organisation with GDPR and DPO services?

We offer external DPO services and GDPR advice, including compliance reviews, incident support, training, DPIA and contract assistance, and we tailor our support to your organisation’s size, sector and international footprint.

Data Protection Officer

An external Data Protection Officer monitors compliance, advises and manages supervisory contacts

CONTACT US

External Data Protection Officer

A Data Protection Officer (DPO) is a data protection expert appointed by the controller, for example a company that processes personal data. The DPO’s role includes providing information and advice on data protection and monitoring compliance with data protection law, in particular the GDPR. The officer may be an employee of the company or act as a consultant — an external Data Protection Officer.

The DPO contributes specialised knowledge in data protection and can objectively review the organisation’s data handling processes. In addition to advising on data protection issues and overseeing GDPR compliance, the DPO can conduct risk assessments and act as a point of contact for supervisory authorities and data subjects.

The mandate of an external DPO

We set the parameters for the engagement and establish communication routes with management and key functions so the DPO role can operate independently and reach the right decision-makers. At the same time, we agree on a way of working—remote or on-site—based on needs and scope.
We review how personal data is handled in practice and identify where GDPR requirements and internal governance documents matter most. This provides an initial view of risk levels and where the organisation needs the clearest support.
We turn the observations into a prioritised plan with clear activities and ownership so the work is achievable and creates value. The focus is on traceability—what will be done, in what order, and why.
We advise on day-to-day questions and follow up to ensure the work develops in line with the plan and internal routines. Where needed, we take part in risk assessments and support data protection impact assessments.
We act as a clear point of contact for the Swedish Authority for Privacy Protection and for data subjects, helping the organisation handle queries in a structured way. The work is summarised in regular follow-ups that provide a basis for continued improvements over time.

Top-down view of a tidy workspace with a laptop, notebook, and two suited hands framing a blank sheet of paper to signal scope and clear objectives for legal counsel.

We set the parameters for the engagement and establish communication routes with management and key functions so the DPO role can operate independently and reach the right decision-makers. At the same time, we agree on a way of working—remote or on-site—based on needs and scope.

Close-up of a whiteboard with simple arrows and neutral markers representing data flows, as legal counsel places a marker.

We review how personal data is handled in practice and identify where GDPR requirements and internal governance documents matter most. This provides an initial view of risk levels and where the organisation needs the clearest support.

Calm meeting table with three neutral document stacks and a pen indicating prioritization; two gender-neutral legal counsel in the background with simplified, faceless features.

We turn the observations into a prioritised plan with clear activities and ownership so the work is achievable and creates value. The focus is on traceability—what will be done, in what order, and why.

Legal counsel reviewing a tabbed binder beside an open laptop and a checked box on a blank form, signaling implementation and documentation.

We advise on day-to-day questions and follow up to ensure the work develops in line with the plan and internal routines. Where needed, we take part in risk assessments and support data protection impact assessments.

Legal counsel places a neutral token on a stack of folders with a blank calendar in the background, symbolising governance and recurring follow-up.

We act as a clear point of contact for the Swedish Authority for Privacy Protection and for data subjects, helping the organisation handle queries in a structured way. The work is summarised in regular follow-ups that provide a basis for continued improvements over time.

Organise privacy governance

With the right DPO setup, governance, advice and follow-up become an integrated part of the business. Strengthen the function with training and clear routines for records and incidents. Click through to read more about a way of working that scales with the organisation.

GDPR training

Personal data breach

DPIA

Privacy Counsel

Confident external Data Protection Officer standing in front of a secure office building, symbolizing GDPR compliance, data security policies, and protection of personal data.

What responsibilities does a Data Protection Officer have?

A Data Protection Officer has several key responsibilities that help ensure the organisation complies with data protection law. Core tasks include:

Informing and advising the organisation and its employees on obligations under the GDPR and other data protection rules.
Monitoring compliance with data protection legislation and internal data protection policies.
Advising on data protection impact assessments and overseeing their execution.
Acting as a point of contact for supervisory authorities and cooperating with them as needed.
Serving as a contact for data subjects who have questions about how their personal data is handled.

The DPO’s role is both advisory and supervisory, and demands integrity and independence. An external solution can therefore be advantageous to safeguard independence.

We guide you

External DPO services or an internal appointment?

An external data protection officer brings an independent perspective, free from internal politics or preconceptions. Their broad experience across sectors provides valuable insights and best practices. They stay current on developments in legislation and practice, ensuring continuous compliance with data protection rules.

An external DPO can be more cost-effective, particularly for smaller companies, as you avoid the cost of a resource that may not be fully utilised. A recurring challenge in smaller organisations is appointing a Data Protection Officer who does not have other duties that create conflicts of interest.

We are pleased to partner with you from the outset when choosing between an internal or external solution. For example, we can help map your organisation’s needs and the options available when appointing a Data Protection Officer.

What can Morling Consulting help with?

Engaging external DPO services from Morling Consulting means your company receives ongoing support in its data protection work over time. Our data protection officers are specialists in GDPR compliance and take a holistic approach to your programme.

Our lawyers routinely advise a wide range of organisations on the GDPR and deliver value from day one. With experience across industries, we provide practical insights and best practices. We can perform the assignment remotely or on site, depending on your needs and the scope of support required. Do not hesitate to contact Morling Consulting today.

Business professional on the phone discussing GDPR compliance and data security with an external Data Protection Officer to protect company and customer personal data.

The responsibilities of a DPO are set out in the GDPR and include:

Providing advice and information on data protection legislation.
Monitoring the organisation’s compliance with the GDPR.
Assisting with risk assessments relating to personal data processing.
Acting as a contact point for both supervisory authorities and data subjects.

Under the GDPR it is mandatory to appoint a DPO if:

Processing is carried out by a public authority or body.
The organisation engages in regular and systematic monitoring of individuals on a large scale.
The organisation conducts large-scale processing of special category data or data relating to criminal offences.

Appointing an external data protection officer provides an independent and objective perspective on your data protection programme. An external DPO often has broad cross-sector experience and access to up-to-date knowledge of legislation and practice, ensuring high competence. For many companies it is also a cost-effective solution if needs do not justify a full-time internal role. Using an external DPO also reduces the risk of conflicts of interest that can arise when internal staff try to combine the DPO role with other responsibilities.

Morling Consulting offers comprehensive support in data protection and the GDPR. We can assist with:

Advice on compliance, risk management and internal processes.
Hands-on support in the event of personal data incidents.
Training for staff and leadership on data protection matters.
Support when choosing between an internal or external DPO solution.
External DPO services.

No. A DPO is not personally liable for an organisation’s non-compliance. Responsibility always rests with the controller or the processor. However, the DPO must be able to work independently and report risks and deficiencies freely.

Under the GDPR, a DPO must have knowledge of data protection law and applied practice. The person must be able to provide qualified advice and guidance on data protection while acting with integrity and holding an independent position within the organisation. The DPO must also have good insight into the organisation’s processing of personal data to effectively monitor compliance with data protection rules.

There is no blanket prohibition — but it is permitted only where no conflicts of interest arise. Examples of roles that generally cannot be combined with the DPO role include:

Head of IT or Head of Security.
Managers who determine purposes of processing.
Other roles with decision-making authority over personal data processing.

Morling Consulting can help you assess whether an internal solution is suitable or whether an external data protection officer is preferable.

Morling Consulting’s GDPR lawyers are used to mobilising quickly and can in many cases start as Data Protection Officer within a few days. The assignment begins with a needs assessment in which we review, together with you, the organisation’s current status regarding personal data processing, identify the support required in the short and long term, and assess the resources and processes already in place. We then tailor our support to the organisation’s size, sector and risk profile to ensure it is relevant and effective.

Yes. Typical examples of advice our GDPR lawyers can provide include:

Review and development of internal routines for handling personal data.
Support in drafting data processing agreements and other contracts relating to data protection.
Advice on international transfers and the use of cloud services.
Guidance in incident management, for example when a personal data breach occurs.
Assessment of whether a data protection impact assessment (DPIA) is required and how to conduct it.
Support in communications with the Data Protection Agency.

Our advice is always tailored to your organisation’s specific needs, sector and risk profile.

We deliver external DPO services to organisations across Europe, ensuring consistent, pragmatic support wherever you operate. Speak to us to discuss external DPO cost considerations and how our approach aligns with your compliance goals.

Contact

Felix Morling

Speak to a Data Protection Officer

Do you need an external Data Protection Officer or support with DPO matters? Contact us to discuss

"*" indicates required fields