Do you need a Data Protection/Privacy Officer (DPO)?
📋 Regulatory Guidance
This post covers DPO obligations under GDPR and the New Zealand Privacy Act 2020. Requirements differ by jurisdiction, organisation size, and the nature of data processed. This is general guidance — not legal advice. If you are unsure whether you are obligated to appoint a DPO, Secompass recommends engaging a qualified privacy adviser.
It wasn't a question most businesses thought to ask.
It wasn't on the agenda at the last board meeting.
But if your organisation handles personal data — and almost every organisation does — it may already be a legal requirement.
GDPR and the New Zealand Privacy Act require — in certain cases — companies to designate a Data Protection or Privacy Officer (DPO). Tailored to your privacy needs, Secompass provides a Virtual Data Protection Officer (vDPO) service. The vDPO will support you by informing, advising, monitoring compliance, and acting as your point of contact for the supervisory authorities.
A Data Protection Officer is not a luxury reserved for large corporates or tech companies with vast data pipelines. Under GDPR and, in certain circumstances, the New Zealand Privacy Act, it is a role that may be mandatory — whether or not your business is ready for it.
Most organisations that need a DPO don't have one. Many that have appointed one don't fully understand what the role requires. And some that don't need a formal DPO would benefit significantly from having one anyway.
This post exists to close that gap. It covers who is legally required to appoint a DPO, what the role actually involves, and how a virtual DPO can deliver the same compliance outcome at a fraction of the cost of a full-time hire.
Regulatory References
GDPR Articles 37–39 — DPO designation, position, and tasks.
New Zealand Privacy Act 2020 — Privacy Commissioner guidance on privacy officers.
NZ Privacy Act 2020 — legislation.govt.nz
Office of the Privacy Commissioner — privacy.org.nz
This post is for general informational and educational purposes only. It does not constitute legal, technical, or professional advice. Secompass recommends engaging a qualified adviser before making decisions based on this content.
What Is a Data Protection Officer?
A Data Protection Officer is an independent expert appointed to ensure an organisation handles personal data in compliance with applicable privacy law. The role is not an IT function, a compliance checkbox, or a title given to whoever manages the privacy policy document.
A DPO operates at the intersection of law, governance, and operations. They advise on compliance, monitor data processing activities, act as the point of contact for regulators, and educate staff on their obligations. Critically, they must be able to perform their duties independently — they cannot be instructed on how to exercise the role, and they cannot be dismissed or penalised for doing their job.
The Key Distinction
A DPO does not decide how an organisation processes data. That is a business decision. A DPO advises on whether that processing is lawful, proportionate, and compliant — and escalates concerns when it is not.
The role is advisory and watchdog, not operational.
Do You Actually Need One?
The answer depends on where you operate, what data you process, and at what scale. Both GDPR and the New Zealand Privacy Act create specific obligations — but they operate differently.
GDPR — Article 37 ↗
Mandatory DPO appointment where: processing is carried out by a public authority; core activities involve large-scale systematic monitoring of individuals; or core activities involve large-scale processing of special category data. Applies to EU/EEA operations and organisations targeting EU residents.
NZ Privacy Act 2020 ↗
Every agency that is not an individual must designate a Privacy Officer under section 201. Unlike GDPR, this is a broad obligation — it applies to virtually all New Zealand businesses. The Privacy Officer is the first point of contact for privacy complaints and compliance queries.
Special Category Data (GDPR) ↗
Health, biometric, racial, religious, political, and sexual orientation data all trigger heightened obligations. Large-scale processing of any of these categories requires a mandatory DPO appointment under Article 37(1)(c), regardless of organisation size.
Health Information (NZ) ↗
The Health Information Privacy Code applies additional rules to health sector organisations in New Zealand. Health data is treated as sensitive information under the Privacy Act 2020, and agencies holding it are expected to demonstrate a higher standard of governance and oversight.
Work through the flowchart below to determine whether a DPO or Privacy Officer appointment is legally required for your organisation:
Figure 1 — DPO obligation quick-check. Find the row that matches your organisation to identify your legal requirement.
What a DPO Actually Does
The DPO role is defined in GDPR Articles 38 and 39. Under the New Zealand Privacy Act, the Privacy Officer carries an equivalent function. Both require someone who can operate independently, communicate directly with leadership, and act as the primary point of contact for regulators.
Monitor Compliance
Audit data processing activities, review privacy impact assessments, and ensure the organisation's practices align with legal obligations on an ongoing basis.
Inform and Advise
Advise the organisation and its staff on privacy obligations. The DPO informs — not decides. Operational choices remain with the business; the DPO ensures those choices are legally grounded.
Liaise with Regulators
Act as the designated point of contact for the supervisory authority — in New Zealand, the Privacy Commissioner; in the EU, the relevant Data Protection Authority.
Conduct DPIAs
Lead Data Protection Impact Assessments for high-risk processing activities — a mandatory requirement under GDPR Article 35 before certain types of data processing begin.
Train Staff
Design and deliver privacy training to ensure staff who handle personal data understand their obligations under applicable law and internal policy.
Manage Breaches
Lead the organisation's response to notifiable privacy breaches — including assessment, notification to regulators, communication to affected individuals, and post-incident review.
Figure 2 — The six core DPO functions: all must be performed with structural independence from the organisation's management chain
"The DPO is not there to slow the business down.
The DPO is there to make sure the business doesn't make a mistake it can't recover from."
In-House DPO vs Virtual DPO
Once an organisation establishes that it needs a DPO — or decides that appointing one is the right strategic move — the next question is how. A full-time, in-house DPO is one option. For most SMEs, it is not a practical one.
| Consideration | In-House DPO | Virtual DPO (vDPO) |
|---|---|---|
| Cost | Full-time salary + benefits. Senior privacy professionals command significant packages in ANZ markets | Fractional engagement — you pay for the expertise you actually need, not a full headcount |
| Expertise | Single individual — depth depends on their background and ongoing development | Access to a team with cross-sector experience across GDPR, NZ Privacy Act, health, finance, and tech |
| Independence | Can be subject to internal pressure — especially in smaller organisations | Structurally independent — no internal employment relationship, no conflict of interest |
| Availability | Available during business hours — single point of absence risk | On-call coverage, no leave gaps, no knowledge loss when staff change |
| Scalability | Fixed capacity — difficult to scale during incidents or compliance programmes | Scales with your needs — more support during audits, incidents, or regulatory reviews |
| GDPR compliance | Compliant if structured correctly | GDPR explicitly permits external DPO appointments (Art. 37(6)) |
Figure 3 — In-house DPO vs virtual DPO: a side-by-side comparison across six key dimensions for ANZ SMEs
A Common Mistake
Appointing a DPO from within the team without assessing conflicts of interest.
GDPR prohibits the DPO from holding a position that results in a conflict of interest. This means your Head of IT, Legal Counsel, or CFO are frequently ineligible — because their operational responsibilities conflict with the independent oversight the DPO role requires. A virtual DPO avoids this problem structurally.
How Secompass Delivers the vDPO Service
Secompass provides a Virtual Data Protection Officer service tailored to the privacy compliance needs of SMEs across Australia and New Zealand. The service is structured to deliver the full legal and functional scope of the DPO role — without the cost or complexity of a full-time hire.
-
1Privacy gap assessment. We begin by mapping your current data processing activities against your legal obligations under applicable privacy law — identifying where you are compliant, where you are exposed, and what needs to change.
-
2Designated DPO appointment. Secompass is formally registered as your Data Protection Officer or Privacy Officer — fulfilling the legal requirement and providing your regulator point of contact.
-
3Ongoing compliance monitoring. We maintain a rolling review of your data processing activities, advise on new initiatives, and flag risks before they become incidents.
-
4Staff training and awareness. We deliver privacy training to your team — practical, role-specific, and updated as the regulatory landscape changes.
-
5Breach response support. In the event of a notifiable privacy breach, we lead the assessment, manage regulator notification, and support you through the response process.
-
6DPIA facilitation. Where new processing activities require a Data Protection Impact Assessment, we lead the process — ensuring it is documented, proportionate, and defensible.
Where Most Organisations Are Right Now
Most SMEs across Australia and New Zealand have not formally assessed whether they are required to appoint a DPO or Privacy Officer. Many have not designated anyone in the role — leaving a legal gap that could become a compliance exposure in the event of a breach or regulatory inquiry.
The organisations that have successfully kept privacy compliance costs low have done so not by avoiding the requirement, but by meeting it efficiently — with the right external expertise, at the right engagement level, without the overhead of a full-time hire.
If you have successfully implemented privacy in your organisation while keeping costs low, we would genuinely like to hear how. Share your approach with us — and with the broader community.
Privacy compliance is not a project with an end date.
It is an ongoing obligation — and it works best when someone
is specifically accountable for it.
That is what the DPO is for.
Work With Secompass
Not Sure If You Need a DPO? Start With a Free Consultation.
We help organisations across Australia and New Zealand determine their DPO obligations, close their privacy compliance gaps, and implement a vDPO model that works for their size and budget.
- Do you know whether you are legally required to appoint a DPO or Privacy Officer?
- Does your organisation have someone formally accountable for privacy compliance?
- Are you confident your data processing activities are mapped, assessed, and documented?