In light of GDPR, you will have seen this position crop up more and more in recent times; The all powerful, all important Data Protection Officer. 

In this article, I explore some of the benefits Data Protection Officers can bring to your organisation with an insight from Steve Kenny, former Head of Privacy at eBay, on what it takes to fill the shoes of a DPO.

Employing a DPO, and having them sit at board level, creates a useful contrast of someone who understands the technical expertise of approaching data protection, but also how to adopt a tailored approach through understanding the company culture and organisational context to tackle complex data protection dilemmas. Look at it as a role that finds the optimum equilibrium state of supporting the organisation in compliance efforts, but, approaches these efforts with a partial view towards consumers, with no organisational bias.

Here are some of key business benefits that a DPO can offer;


It goes without saying that it is no easy task to fill the shoes of the DPO role. DPOs offer invaluable expertise in data privacy and are generally subject matter experts in translating the legislative requirements into a tailored approach of business transformation. The level of expertise is hard to find but has an excellent value proposition, adding skills in new areas and sharing knowledge across multiple business departments.


Employing a DPO sends a message to your customer base that you are taking compliance efforts seriously. However, adopting a strong privacy culture is not just for obligated compliance efforts but also for the added benefit of enhancing your customer experience. Transparency and care of data equates to an excellent recipe of positive branding. After all, GDPR is a business enabler that allows us to regain the trust between technology and society.

Data is personal, period.


DPOs have a duty to remain impartial in their day-to-day role so, not only do they serve the best interests of the business, but they also serve the best interests of your customers. In a conflict of interest context, where failing to comply with GDPR may cause a considerable level of organisational damage, the DPO is obliged to report your organisation to the ICO.


Security breaches can cripple a business. Therefore, it is crucial for organisations to have a strategy in place for breach minimisation. A lot of times a breach can be hyped up as ‘hacking past the firewall’ and ‘filtering through the cyber security network’ but sometimes,all it takes is Pam from finance taking her laptop out of work and accidentally leaving it in the local Starbucks for a devious data thief to steal and exploit the data. Improving data protection standards in-house through training and awareness can work wonders for breach minimisation and the DPO can play the role as the ‘in-house Privacy Champion’ but also, they can play a key role in contributing to cyber security strategy under GDPR. Depending on organisational structure this can involve collaborating with the CISO, CRO, CIO etc. in delivering effective solutions to the board on avoiding costly breaches.


Working ALONGSIDE the regulator is a much more effective route to compliance rather than attempting to avoid them. Angel on your shoulder sounds a lot better than the Devil, am I right? The ICOs website has a wealth of information promoting best practice and if your DPO can present your organisation in a positive light to the commissioner, you know you are taking a step in the right direction.


I asked Steve Kenny, Founder of Assured Privacy and former head of EU Privacy at both eBay and PayPal, what are the most important factors for serving the DPO position.

“Gravitas and creditability with the C-Suite and buy in from the business and the ability to combine commercial and compliance objectives into optimal trade-offs”.

Finding these trade-offs is easier said than done but paving the right path will always favour in the long-term.

I also asked Steve his opinion on how important legal qualifications are in the context of becoming a DPO, as clients often have the requirement of an LLB or LLM under a DPO job description.

“The requirement is to be an expert in data protection under A37-5. Data Protection is a compliance subject in an era of data driven business transformation – so you need a blend of skills and this is really rare to find in one individual. That is one driver behind the external ‘DPO as a service’ model offered by firms such as Heward Mills”.

It is a super-niche skillset indeed and do not forget the soft skills. You are going to need to be great at stakeholder management as the journey is not likely to be all plain sailing.

All in all, employing a data protection officer is no easy task but certainly is one that will add tremendous commercial value to your organisation, customers and employees.