Under the GDPR, certain controllers and processors are required to appoint a Data Protection Officer. This obligation applies to all public authorities and bodies, as well as organisations that carry out systematic monitoring of individuals or process special categories of personal data on a large scale. The obligation also extends to organisations designated by member state law, and Belgium's Data Protection Act provides for additional DPO requirements in specific contexts. Failure to appoint a DPO where required is a directly enforceable GDPR violation that can attract supervisory attention independent of any underlying data protection issues.
Organisations may appoint an internal employee as DPO or engage external services through a service agreement. The external DPO model offers access to high-level expertise without the overhead of a dedicated hire, and avoids conflicts of interest that can arise when a DPO also holds other functions within the organisation. For small and medium-sized organisations, an external DPO is often the most practical and cost-effective way to meet the obligation.
The DPO's role under the GDPR is advisory, supervisory, and communicative. The DPO advises the controller on data protection obligations, monitors compliance with the GDPR and the organisation's own policies, provides guidance on Data Protection Impact Assessments, acts as the point of contact for the supervisory authority (the Belgian GBA/APD), and handles data subject queries and complaints. The DPO must be given the resources and independence necessary to perform these functions effectively, and must not receive instructions regarding the exercise of the DPO function.
In practice, the DPO's work includes reviewing new processing activities for compliance before they are implemented, maintaining and updating the Records of Processing Activities, advising on data breach response and notification obligations, reviewing and updating privacy notices and consent mechanisms, assessing vendor data processing agreements, and providing training on data protection to staff. The DPO is also responsible for maintaining the organisation's relationship with the supervisory authority and coordinating any inspections or investigations.
An external DPO brings several structural advantages over an internal appointment. First, independence: the external DPO has no conflicting responsibilities within the organisation and no hierarchical relationship that could compromise the function. Second, expertise: an external DPO from a specialised data protection practice brings cross-sector experience and current knowledge of regulatory developments, enforcement trends, and best practices. Third, scalability: the external DPO engagement can be scaled to the organisation's needs, providing intensive support during project phases (new system launches, international expansions, breach incidents) and routine oversight during steady-state operations.
pitch.law's DPO as a Service offering provides a named DPO with direct client contact, supported by a team of data protection specialists. The DPO is available for day-to-day queries, participates in management discussions where data protection is relevant, and provides structured reporting on the organisation's compliance posture.
A DPO is mandatory for public authorities and bodies, organisations whose core activities involve regular and systematic monitoring of data subjects on a large scale, and organisations whose core activities involve large-scale processing of special categories of data or data relating to criminal convictions. Even where not mandatory, appointing a DPO is recommended as a governance best practice and is increasingly expected by business partners and regulators.
The GDPR does not require specific certification, but expects demonstrable expertise in data protection law and practice. Certifications such as CIPP/E or CIPM provide useful validation of competence and are increasingly expected by supervisory authorities. Our DPO team holds recognised data protection certifications and maintains continuous professional development.
Yes, but only if those additional functions do not result in a conflict of interest with the DPO role. The GDPR specifically requires that the DPO does not hold a position that leads to a conflict of interest. Roles such as IT director, legal counsel, HR director, or any management position that determines the purposes and means of processing personal data are typically incompatible with the DPO function in larger organisations. This conflict risk is one of the primary reasons organisations choose an external DPO.
Our DPO as a Service is provided on a fixed annual fee basis, covering the mandatory DPO functions, routine advisory work, and a defined level of project support. The engagement includes a named DPO, regular compliance reporting, availability for day-to-day queries, and participation in management discussions where data protection matters arise. Additional project work (DPIA support, breach response, vendor assessments) is available at pre-agreed rates.
%402x.svg){kind=icon}
%402x.svg){kind=icon}
%402x.svg){kind=small}