What Does a DPO Actually Do? A Practical Breakdown

The job title sounds clear enough. Data Protection Officer. But ask five people what a DPO actually does day to day, and you'll get five different answers, ranging from "writes the privacy policy" to "handles it if we ever get hacked."

Both are partly true, and both miss most of the job.

Quick answer: A Data Protection Officer monitors compliance with UK GDPR, advises the business on data protection obligations, acts as the main point of contact for the ICO and for individuals exercising their data rights, and oversees processes like DPIAs and breach response. The role is defined in Articles 37 to 39 of UK GDPR, it must operate independently, and it can be filled internally, outsourced, or shared, as long as the person genuinely has the expertise, resources, and authority to do it properly.


 

What Is a DPO's Legal Role Under UK GDPR?

The DPO role isn't a job description a company invented. It's set out in law, in three specific articles.

Together, these articles mean a DPO isn't just a title stapled onto an existing role. It comes with legal independence attached, which is exactly the part that trips organisations up when they try to appoint one internally without changing anything else about how the role sits in the business.


 

What Does a DPO Actually Do Day to Day?

Strip away the legal language, and the day-to-day work usually falls into a few consistent buckets. None of them are glamorous, and most of them only become visible when they're missing, which is exactly why the role is easy to underestimate until something goes wrong.

  • Monitoring compliance, keeping the record of processing activities current, checking that policies match what's actually happening in the business, not just what's written down.
  • Advising on new projects, reviewing new tools, vendors, and processes before they launch, and flagging when a DPIA is needed.
  • Handling data subject requests, coordinating responses to access requests, deletion requests, and objections within statutory deadlines.
  • Managing breach response, assessing whether an incident meets the threshold for ICO notification, and coordinating the 72-hour clock once it does.
  • Acting as the ICO's point of contact, which matters most during an investigation or audit, when having someone who already knows the business's processing inside out is the difference between a smooth response and a scramble.
  • Training and awareness, making sure staff handling personal data actually understand what that means in practice, not just once a year at induction.

 

Trust Keith Office Hours


 

What Shouldn't a DPO Be Doing?

Article 38 also puts limits on the role, and they matter as much as the duties themselves.

  • Setting their own priorities checked by the people they're meant to be checking. A DPO who reports into, say, the same person who owns the marketing budget they're auditing has a structural conflict of interest, regardless of how well-intentioned everyone is.
  • Deciding the purposes and means of processing. That's a decision for the business, not the DPO. The DPO advises on it and monitors the outcome, but shouldn't be the one making the call, since that would mean checking their own work.
  • Being penalised for doing the job properly. Article 38 explicitly protects a DPO from being dismissed or penalised for performing their tasks, which is a meaningful legal safeguard, not just good practice.

This is where a lot of internal appointments fall down. Giving someone the DPO title without giving them genuine independence from the decisions they're meant to be reviewing doesn't meet the legal bar, even if it looks fine on an org chart.

It's also worth being honest about how this plays out in practice. A person juggling the DPO role alongside an operational job often ends up prioritising whichever deadline is loudest that week, and it's rarely the privacy one. That's not a character flaw, it's just what happens when independence exists on paper but not in the calendar.


 

What Skills Does a Good DPO Need in 2026?

The role has shifted noticeably in the last few years, mostly because the scope of what counts as "data processing" has expanded. A DPO appointed five years ago and one appointed today are doing recognisably different jobs, even if the legal definition hasn't changed.

  • Working legal knowledge of UK GDPR and the Data Protection Act 2018, enough to advise confidently without needing a solicitor for every question.
  • Comfort with AI and automated decision-making, since a growing share of DPIAs now involve tools the business didn't build itself and doesn't fully control.
  • Enough technical fluency to have a real conversation with engineering and IT, not just enough to nod along.
  • The judgement to say no, or more often, "not like that," to a project that's moving fast and doesn't want to hear it.
  • Genuine independence, both in reporting line and in temperament, since the role only works if the DPO is willing to flag problems that are inconvenient to raise.

 

In-House vs Outsourced DPO: What's the Trade-Off?

Both routes can satisfy the legal requirement. The trade-offs are practical, not legal.

  • In-house, someone who knows the business deeply and is available at short notice. But independence can be hard to maintain, especially when that person is also juggling an another role, and there's no ongoing cover if they go on annual leave or leave the company. When they're out, there's nobody else who knows the role well enough to step in.
  • Outsourced brings genuine independence, but it can come at a higher cost, and it's often structured as a one-off project rather than continuous, ongoing compliance support.

If you'd like a closer look at how to weigh this decision, how to choose the right DPO service provider and hiring a DPO without adding headcount both go into more detail on the practical options.


 

Trust Keith Resources


 

What Happens in a DPO's First 90 Days?

Whether the DPO is new, newly outsourced, or newly appointed internally, the first few months tend to follow a similar shape.

  • Weeks 1 to 2, mapping what actually exists. Systems, vendors, data flows, and comparing that against whatever documentation is already on file, which is often out of date.
  • Weeks 3 to 6, closing the most urgent gaps. Missing records, overdue subject access requests, contracts without data processing terms.
  • Weeks 6 to 12, building the ongoing rhythm. Review cycles, training, incident response steps, so compliance stops being a one-off project and starts being something the business simply does.

A DPO who's still doing discovery work after six months usually points to one thing. Nobody had a clear, current picture of the business's data before they started. That's often the single biggest predictor of how smooth, or not, the first year goes, and it's largely unrelated to how skilled the DPO actually is.

It's a fair test to apply before appointing anyone, internal or outsourced. Ask what they'd actually do in week one, and how quickly they expect to move past discovery and into the ongoing rhythm. A vague answer there is often a preview of how the rest of the year will go.


 

Frequently Asked Questions

Does every business need a DPO?
No. UK GDPR only requires one where processing is carried out by a public authority, involves large-scale regular monitoring, or involves large-scale special category data. Many businesses appoint one anyway as good practice, or to reassure investors and customers.

Can the DPO also be the CEO or a director?
Legally, yes, but it's risky in practice. The role requires independence from decisions about how data is used, and someone who also holds ultimate decision-making authority over the business can struggle to meet that bar.

How much time does the role actually take?
It depends heavily on the scale and sensitivity of processing. A smaller organisation with straightforward data might need a few days a month, while one handling special category data at scale may need something closer to full-time attention.

What happens if we appoint a DPO but don't give them real independence?
The appointment doesn't meet the requirements of Article 38, and in an ICO investigation, that gap tends to surface quickly and reflect badly on the wider compliance programme, not just the DPO arrangement itself.

Is an outsourced DPO less "real" than an in-house one?
No. UK GDPR explicitly allows the role to be outsourced, and an outsourced DPO carries the same legal responsibilities and protections as an internal appointment.


 

The DPO role sounds procedural until you actually need it, and then it's the thing standing between a manageable incident and a genuinely bad one. Getting the basics right early, clear scope, real independence, and enough time to do the job, tends to matter far more than which reporting structure you land on.

Trust Keith's outsourced DPO service is built to close that exact gap. You get an expert matched specifically to your business, who gets embedding into your team the way an in-house hire would, but sits outside the business with genuine independence built in. They're backed by a full team of DPOs, not working alone, so if they're ever unavailable, there's always someone who can step in.

find out more


 

Trust Keith - take data protection off your plate, for good