When is a DPO legally required?

Under GDPR, you must appoint a DPO if you're a public authority, your core activities involve regular and systematic monitoring of individuals at scale, or your core activities involve processing special category data at scale. If your AI system processes personal data at scale (large chatbot, automated decision-making, employee monitoring), you likely need one. Even if not legally required, the ICO recommends appointing one if you process personal data with AI.

How much does an outsourced DPO cost?

External DPO services typically cost £500-£2,000/month for SMEs, depending on complexity and volume of data processing. Compare that to hiring an in-house DPO at £50,000-£80,000/year plus benefits. An outsourced DPO gives you qualified expertise at 20-40% of the cost of a full-time hire, with no recruitment overhead and immediate availability.

What does a DPO actually do?

A DPO monitors GDPR compliance, advises on data protection impact assessments, acts as the contact point for the ICO and data subjects, trains staff on data protection, maintains records of processing activities, and reviews data processing agreements. For AI companies specifically, the DPO reviews AI systems for compliance, advises on automated decision-making requirements, and ensures AI-specific risks are managed.

Can a DPO be external to the company?

Yes. GDPR Article 37(6) explicitly allows DPO as a service — an external person or organisation fulfilling the DPO role. The external DPO must have the same independence, access, and authority as an internal DPO. For SMEs, external DPOs are often more practical because they bring broader experience across multiple organisations and don't need to be a full-time role.

Does my AI startup need a DPO?

If your AI processes personal data at scale (thousands of records, automated decisions about people, profiling), almost certainly yes. If you're pre-revenue processing small volumes, probably not yet — but you should have someone responsible for data protection even informally. The ICO has stated that AI companies should give serious consideration to appointing a DPO regardless of whether it's strictly required.

DPO as a Service: Does Your AI Company Need an External Data Protection Officer?

You've built an AI product that processes personal data. Maybe it's a chatbot handling customer queries, a recommendation engine, or an automated decision-making system. Business is growing. Then someone asks: "Do we have a Data Protection Officer?"

And you think — do we actually need one?

The short answer: if you're processing personal data at scale with AI, probably yes. The longer answer involves a legal test, some honest maths, and a comparison that almost always points to the same conclusion.

The Legal Test: When You Must Appoint a DPO

GDPR Article 37 sets out three scenarios where appointing a DPO is mandatory:

You're a public authority or body — straightforward, you need one.
Your core activities require regular and systematic monitoring of individuals at scale — this catches a lot of AI companies. If your product tracks user behaviour, runs profiling, or makes automated recommendations, this is you.
Your core activities involve large-scale processing of special category data — health data, biometric data, racial or ethnic origin, political opinions, etc.

Here's where it gets interesting for AI companies. The ICO interprets "regular and systematic monitoring" broadly. Their guidance explicitly includes:

Profiling and scoring (credit scoring, behavioural advertising)
Location tracking
CCTV and other surveillance
Connected devices collecting personal data
Automated decision-making with legal or significant effects

If your AI system makes decisions about people — who gets approved, who gets flagged, what content they see — you're almost certainly in scope.

And even if you don't technically hit the threshold, the ICO's position is clear: AI companies should seriously consider appointing a DPO regardless. It's not just about ticking a box. It's about having someone who actually understands the risks and can catch problems before they become fines.

What a DPO Actually Does (Day-to-Day, Not Theory)

The GDPR definition is vague enough to be unhelpful. Here's what a DPO for an AI company actually does in practice:

Compliance monitoring. They review your data processing activities, check that your privacy notices are accurate, and make sure your records of processing (ROPA) aren't collecting dust in a Google Doc from 2023.

DPIA oversight. Every new AI system or significant change to an existing one needs a Data Protection Impact Assessment. The DPO doesn't write it for you — they advise on it, review it, and flag risks you've missed. If you're building AI systems, this is a constant workflow, not a one-off exercise.

Regulator liaison. If the ICO contacts you — whether it's a routine enquiry or something more serious — the DPO is your designated point of contact. They know how to respond, what to disclose, and how to manage the process without panicking.

Subject access requests (SARs). When someone asks "what data do you hold on me?" the DPO coordinates the response. For AI companies, this gets complicated fast. What about data used in model training? Inference logs? Conversation histories? A good DPO knows how to handle these edge cases.

Staff training. Not the annual "click through 40 slides" type. Practical guidance for developers on data minimisation, for sales teams on what they can promise about data handling, for product managers on privacy by design.

Breach management. When (not if) something goes wrong, the DPO assesses whether it's a reportable breach, coordinates the 72-hour notification to the ICO if required, and manages communication with affected individuals.

AI-specific compliance. This is the bit most generic DPOs can't do. Reviewing automated decision-making processes against Article 22 requirements. Ensuring your AI system meets EU AI Act obligations. Advising on transparency requirements — can your users understand why the AI made a particular decision?

Hire vs. Outsource: The Honest Comparison

Let's look at the numbers first.

In-House DPO

Salary: £50,000–£80,000/year for someone qualified. In London, closer to £70,000–£90,000.
Benefits, NI, pension: Add 15-20% on top.
Recruitment costs: £10,000–£20,000 through an agency, or 3-6 months of your time.
Training and development: £2,000–£5,000/year to keep certifications current.
Total first-year cost: Realistically £75,000–£120,000.

And here's the problem: the person you hire will almost certainly be a GDPR specialist. Finding someone who genuinely understands AI systems — how LLMs work, what model training involves, where inference data flows — is extremely rare. You'll hire a privacy lawyer who Googles "what is a transformer model" on their first day.

There's also the independence requirement. GDPR says the DPO can't be instructed on how to perform their tasks and can't be dismissed for doing their job. In a small company, that creates an awkward dynamic. Your DPO might need to tell the CEO their pet project is non-compliant. That's easier when the DPO doesn't rely on you for their mortgage.

Outsourced DPO (DPO as a Service)

Monthly retainer: £500–£2,000/month for SMEs, depending on complexity.
Annual cost: £6,000–£24,000/year.
No recruitment costs. No benefits. No NI contributions.
Immediate availability. No 3-month notice period to wait out.
Total first-year cost: £6,000–£24,000. That's 20-30% of the in-house option.

The independence issue disappears too. An external DPO has no career incentive to go easy on you. They'll tell you what's wrong because that's literally their job, and their reputation depends on getting it right.

When In-House Makes Sense

To be fair, there are situations where hiring makes more sense:

You're processing very high volumes of sensitive data (health AI, financial services at scale)
You need a DPO physically present daily
You have 200+ employees and complex internal data flows
You're a public authority (some require an internal appointment)

For most AI-focused SMEs with 5-50 employees? Outsourcing wins on cost, expertise, and independence.

What to Look for in an Outsourced DPO

Not all DPO services are equal. Here's what separates good from useless:

AI and technology knowledge. This is the biggest differentiator and the hardest to find. Your DPO needs to understand how AI systems process data — not just "we use AI" but the specifics. Where does training data come from? What happens during inference? Where are API calls routed? If they can't write a DPIA for an AI system, they can't be your DPO.

Relevant qualifications. CIPP/E (Certified Information Privacy Professional/Europe) is the gold standard for GDPR. Check for it. A law degree helps but isn't sufficient on its own — privacy law is a specialism.

Response times. Your DPO agreement should specify response times. For routine queries, 24-48 hours is reasonable. For breach incidents, you need same-day — ideally within hours. The 72-hour ICO notification window doesn't wait for anyone's inbox.

Scope clarity. Get the scope in writing. How many DPIAs are included? Is staff training covered? What about SAR handling — do they manage the process or just advise? Are ad-hoc queries unlimited or capped? Ambiguity here leads to surprise invoices.

Regulatory track record. Have they actually dealt with the ICO? Managed a breach notification? Handled a complaint? Theory is cheap. Experience is what you're paying for.

EU AI Act awareness. With the August 2026 deadline approaching, your DPO needs to understand how AI Act obligations overlap with GDPR. Most traditional DPOs haven't caught up yet.

How DPO as a Service Actually Works

Here's what the engagement typically looks like:

Month 1: Onboarding and audit. The DPO reviews your current data processing activities, existing policies, AI systems, and compliance posture. They'll identify gaps — and there will be gaps. You'll get a prioritised remediation plan.

Ongoing monthly retainer. The DPO is formally designated as your DPO with the ICO. They're available for:

Reviewing new AI features or products for compliance
Advising on DPIAs (and reviewing completed ones)
Handling SAR coordination
Responding to data subject complaints
Staff training sessions (typically quarterly)
Maintaining your ROPA and processing records
Breach assessment and notification management

Quarterly reviews. A structured check-in to review any new processing activities, update risk assessments, and ensure your documentation is current. This matters more than it sounds — regulators check whether your compliance programme is living or just paperwork.

Ad-hoc support. Something urgent comes up — a potential breach, an ICO letter, a client demanding your compliance credentials before signing a contract. You pick up the phone or send an email. Your DPO responds within the agreed timeframe.

Annual reporting. A summary of activities, issues raised, recommendations made. Useful for board reporting and for demonstrating accountability to regulators.

The AI Knowledge Gap Is Real

Here's something most articles on DPO services won't tell you: the vast majority of outsourced DPOs don't understand AI.

They know GDPR inside out. They can recite Article 35 in their sleep. But ask them about the data protection implications of fine-tuning a language model on customer data, or whether retrieval-augmented generation changes your data processing obligations, and you'll get a blank stare.

This matters because AI creates specific compliance challenges that generic data protection knowledge doesn't cover:

Model training: If personal data was used to train your model, what are the retention obligations? Can individuals exercise their right to erasure on training data?
Inference logging: Are you storing prompts and responses? For how long? Does your privacy notice cover this?
Third-party APIs: When you send data to OpenAI or Anthropic for processing, that's an international transfer. Is your DPO advising on adequate safeguards?
Automated decision-making: Article 22 gives individuals the right not to be subject to purely automated decisions with legal effects. Does your DPO know how to implement meaningful human oversight?

You need a DPO who can answer these questions without having to research them first.

What This Costs You If You Get It Wrong

Let's be direct about the risk.

The ICO can fine you up to £17.5 million or 4% of global turnover for serious GDPR violations. Failure to appoint a DPO when required is a breach of Article 37 — that's a lower-tier fine of up to £8.7 million or 2% of turnover, but it's still enough to end most SMEs.

Beyond fines, there's the reputational damage. Enterprise clients increasingly require proof of DPO appointment before signing contracts. If you can't demonstrate compliance, you lose deals.

And with the EU AI Act coming into force, the compliance bar is going higher, not lower. Companies that get their DPO arrangements sorted now will have a structural advantage over those scrambling in August 2026.

How We Can Help

At Janus Compliance, we don't just do data protection — we build AI systems and handle the compliance as part of the same engagement. That means when we act as your DPO, we actually understand what your AI does and where the real risks are.

Our DPO as a service includes:

Formal DPO designation with the ICO
AI-specific compliance monitoring
DPIA support for every new AI system or feature
Breach management and ICO liaison
Staff training tailored to your tech stack
Quarterly compliance reviews
EU AI Act readiness alongside GDPR

We're CIPP/E certified with direct experience building and deploying AI systems. That combination is rare, and it's exactly what AI companies need.

Ready to talk? Get in touch and we'll assess whether you need a DPO, what the scope should look like, and what it'll cost. No pressure, no jargon — just a straight answer.

Related reading: Learn whether you need a DPIA for your AI system, or see our step-by-step guide on how to write a DPIA for AI systems. Planning for the EU AI Act deadline? Here's what SMEs need to do before August 2026. Or check out our full services and pricing.