R-035HumanComplianceP0 · CriticalPlanned

Data Protection Officer (DPO)

The named accountable officer for personal data processing under GDPR. Required for high-volume consumer data processing.

Live Ops

Due-diligence relevance

GDPR formally requires a DPO for organisations processing personal data 'on a large scale' as a core activity. For an AI consumer-product company in the EU, the regulator's interpretation is universally that this applies. An unfilled DPO seat is the most common P0 finding in EU consumer-product diligence and a high-friction remediation requirement at signing.

Responsibilities

Maintain the Record of Processing Activities (RoPA)
Sign off DPIAs before high-risk launches
Liaison to the lead supervisory authority (Datatilsynet)
Quarterly privacy training across the team
Personal-data breach response coordination (GDPR Art. 33 + 34)

Inputs

· Architecture
· Sub-processor inventory
· Incident reports

Outputs

· RoPA
· DPIAs
· Regulator correspondence

Qualifications

CIPP/E or equivalent
Independence from operational reporting line (mandated by GDPR Art. 38)
Direct EU regulator experience

KPIs

Breach notification SLA (72h)DPIA completion rate

Interfaces

R-013Privacy Engineer R-034General Counsel R-036CISO R-037GRC Manager