"One of the most valuable DPO topic meetings I've attended."
That's what one hubster said after Friday's (at times heated) discussion!
The summary's now up in the NoTies Community - that trusted space where we speak candidly, share real challenges, ask silly questions and support each other without judgment. Curious? Sign up to join our next conversation.
Now, while everyone's been discussing the Telenor DPO fine and debating role conflicts – including on Grumpy GDPR with former Dutch DPA official and fellow podcaster Paul Breitbarth – I've noticed a more fundamental question emerging:
Should there even be a DPO role under the GDPR?
Naturally, this became a major topic on our Community call.
We had DPOs from small companies, Group/Global setups, public and private sectors joining – from ten different countries!
Interestingly, no clear consensus emerged, but while a minority defended keeping things as-is, most argued for reform. And a few brave souls? They suggested scrapping the role entirely.
Including me. At least I'm leaning towards it, for several reasons (I'll talk more about these in later editions).
When I first floated this idea during our Grumpy GDPR end-of-year LinkedIn Live, jaws dropped. Some even fired off angry messages in disbelief (forgetting, perhaps, that progress starts with asking uncomfortable questions).
I was half-joking then.
I'm not joking anymore.
After dissecting the Telenor decision for 20+ hours (yes, I track everything), I'm convinced we at least need to seriously reconsider the DPO framework.
Listen, I've always advised: don't appoint a DPO unless you're certain you need one, or it delivers clear strategic value.
Not because of enforcement risk, but because if you do, you must comply with the provisions in full (as 🇳🇴 Datatilsynet also pointed out to Telenor). That's asking for extra work nobody wants or needs.
DPAs (including Datatilsynet and CNIL), on the other hand, have touted a voluntary role for years.
The Telenor case painfully shows why this could be a terrible idea.
In their defence against the preliminary decision, Telenor made a compelling point: they appointed a DPO voluntarily – like many large Norwegian companies – as a good-faith compliance effort, not because they were legally required to.
The result? Significant sanctions and confusing corrective orders. Their response was as decisive as it was bold: axe the role entirely.
This isn't just a one-off. My inbox is filling with messages from DPOs whose positions have or will be eliminated – specifically citing enforcement risk as the reason. Others have quietly started these discussions internally.
And get this: it's often the DPOs themselves requesting the change (!). That says a lot.
Most have moved into a GPO/CPO position, some even finally got a dedicated compliance budget.
📧 Are you one of them? I'd love to hear your story too.
To wrap up: my advice today, and I don't say this lightly, is to revisit your DPO role assessment, and consider axing the role before it becomes a liability.
But be strategic. Your assessment must be rock solid. When you notify the DPA, they'll likely demand justification.
Prepare a watertight response now, not when they're knocking at your door.
What's your view: keep, revise or axe?
Until next time,
Your Cheerful DPO,
Rie Aleksandra Walle
PS: Need help with your DPO assessment? In the upcoming DPO Hub Topic page, I'm not just decoding those maddeningly vague Art. 37(1) terms like 'core activities', 'systematic monitoring' and 'large scale'...
I'm even sharing my battle-tested External DPO contract – with details on how to solve every part of Art. 37-39 practically, including tackling disagreement.
Or want a second opinion before a DPA does? I’ll review your assessment with a regulator’s eye and flag potential weak spots. Reply for consulting options.