RGPD
Since the General Data Protection Regulation (GDPR) came into force in May 2018, the role of Data Protection Officer (DPO) has established itself as a central pillar of digital compliance. Yet many directors of micro-businesses, SMEs and sta
Reading time:
7 min
Since the General Data Protection Regulation (GDPR) came into force in May 2018, the role of Data Protection Officer (DPO, or DPO) has established itself as a central pillar of digital compliance. Yet many directors of micro-businesses, SMEs and startups still do not know whether they are actually required to appoint a DPO, what this person concretely does, and how much it costs.
In 2025, the CNIL issued 83 sanctions for a record amount of 486 million euros in fines across all sectors. SMEs, associations, local authorities: no organisation is immune. Understanding the issues surrounding the DPO means protecting your business before it is too late.
This article gives you a clear, legally reliable and practical overview of what the DPO role entails, who is concerned, what its statutory duties are, how to avoid common pitfalls, and what budget to plan for depending on the size of your organisation.
The DPO is the central figure for compliance with personal data protection rules within an organisation. The role is provided for and governed by Articles 37, 38 and 39 of the GDPR, as well as by the French Data Protection Act as amended by the order of 12 December 2018.
Its primary mission is to steer the organisation's compliance with the GDPR: it informs, advises, monitors, documents and acts as the liaison with the CNIL. The CNIL itself describes the DPO as the "conductor" of data protection within the entity that appointed them.
Contrary to common belief, the DPO is neither an IT manager nor merely a lawyer. The role combines cross-disciplinary skills: personal data law, IT security, risk management, internal communication. It is a hybrid profile, increasingly sought after, operating at the intersection of legal, technical and organisational matters.
Yes. The DPO role succeeded that of the Data Protection Correspondent (CIL), which existed under the former regime of the 1978 French Data Protection Act. However, the DPO has significantly enhanced powers and obligations, particularly with regard to independence, allocated resources and documentary traceability.
This is often the first question directors ask. The answer is precise: Article 37 of the GDPR sets out three situations in which appointing a DPO is mandatory.
The obligation applies in the following cases:
Apart from these three cases, appointment remains strongly recommended by the CNIL for any business handling a significant volume of personal data, particularly in the e-commerce, human resources, finance and digital marketing sectors.
In practice, the answer is often yes. Appointing a DPO, even on a voluntary basis, sends a strong signal to the CNIL, to your clients and to your business partners. It is also a way to structure your compliance approach and avoid the costly mistakes that are subject to growing sanctions.
Worth noting: in early 2024, more than 34,000 DPOs were registered in France with the CNIL, compared with 21,000 in 2019, an increase of 62% over five years. This trend reflects genuine awareness within the business community.
The DPO's duties are defined in Article 39 of the GDPR. They are broad, demanding and cannot be delegated to a person lacking the required skills.
1. Inform and advise the organisation and its employees about their data protection obligations. This includes raising staff awareness, drafting internal memos and training employees in good practices.
2. Monitor compliance with the GDPR and national law, in particular the French Data Protection Act. The DPO ensures the proper upkeep of the record of processing activities (mandatory for any data controller, pursuant to Article 30 of the GDPR), the legitimacy of the legal bases relied upon, and respect for individuals' rights.
3. Advise on impact assessments (DPIA, for Data Protection Impact Assessment) and verify their performance. Where processing is likely to result in a high risk to the rights and freedoms of individuals, a DPIA is mandatory before the processing is implemented (Article 35 of the GDPR).
4. Act as the contact point for data subjects, that is, respond to requests to exercise rights: right of access, right to rectification, right to erasure ("right to be forgotten"), right to data portability, right to object.
5. Cooperate with the CNIL and serve as the primary point of contact in the event of an inspection, complaint or sanction proceeding. In the event of a personal data breach, the DPO coordinates the notification to the CNIL, which must be made within 72 hours (Article 33 of the GDPR).
The issue of the DPO's independence is central. Article 38 of the GDPR guarantees that the DPO may not receive instructions from management regarding the performance of its duties. Nor may the DPO be dismissed or penalised for performing its functions.
Above all, the DPO cannot be both "judge and party": it cannot simultaneously hold functions that involve determining the purposes and means of a data processing operation. In practice, this means that a chief information officer (CIO), a marketing director or a human resources director generally cannot combine these roles with that of DPO.
A concrete example: An e-commerce SME appoints its IT manager as DPO to save costs. This manager also handles the customer databases and decides which CRM tools are used. This combination of roles creates a conflict of interest expressly prohibited by the GDPR and exposes the company to a CNIL sanction in the event of an inspection.
This is a point that is often misunderstood. The DPO does not personally bear legal liability for GDPR breaches. That liability falls on the data controller, that is, the company itself and its management.
However, the DPO incurs contractual liability if it fails to perform its duties in accordance with its mandate. An external DPO also incurs professional liability under the service agreement binding them to the company.
The risks are serious and well documented:
In 2024, the CNIL carried out more than 340 inspections and several dozen sanctions exceeded one million euros. SMEs are no longer spared.
To learn more
The DPO informs and advises the organisation, monitors compliance with the GDPR, advises on impact assessments, cooperates with the CNIL and acts as its point of contact. As a pillar of digital compliance, it has played a central role since the GDPR came into force.
Appointment is mandatory for public bodies and for companies whose activity involves regular and systematic monitoring of individuals on a large scale, or the processing of special categories of data. No organisation, SME, association or local authority, is in principle immune.
The cost depends on the choice between an internal and an external DPO, the volume of processing and the level of support. An external DPO makes it possible to pool expertise without bearing a full-time position, which is often suited to micro-businesses, SMEs and startups.
In 2025, the CNIL issued 83 sanctions for a record amount of 486 million euros, across all sectors. This outcome shows that no organisation is immune and underscores the importance of compliance, to which the DPO contributes.
Yes. SMEs, associations and local authorities are concerned by CNIL sanctions. No organisation is immune, which makes understanding the issues surrounding the DPO essential to protect your business before it is too late.
Yes. A company may appoint an external DPO, which allows it to benefit from pooled expertise without the cost of a full-time position. This option is often suited to micro-businesses, SMEs and startups subject to GDPR obligations.
The DPO performs its duties in full independence and ensures the organisation's compliance. Its responsibility is exercised through its advisory and monitoring role, with liability for processing remaining with the data controller. Its function remains a pillar of compliance.
A lawyer helps determine the obligation to appoint a DPO, decide between an internal and external arrangement, and secure compliance. A lawyer may also perform the DPO role, combining operational oversight with legal expertise.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin