Mandatory DPO: cases, missions and risks in 2026

Update April 5, 2026 - The DPO is not mandatory for all structures. The GDPR requires its désignation in certain specific cases, but in many companies the real question is rather: is your data processing sufficient to make a DPO obligatory, or simply useful? In 2026, we must think about the nature of the processing, scale, sensitivity of the data and level of internal management.

Direct answer: the DPO is mandatory if your organization is a public authority or body, if your core activity involves regular and systematic monitoring of people on a large scale, or if you process sensitive data, health data or data relating to convictions and offenses on a large scale. Outside of these cases, the DPO remains optional, but often relevant.

Article 37 of the GDPR targets three main families of situations. The CNIL reminds us that we must not think only in terms of the number of employees: a small structure may be concerned if its core activity is based on data-intensive processing.

1. Public authorities and bodies#

Public authorities and most public bodies must appoint a DPO. This covers, for example, a town hall, a public establishment, a public agency or an organization responsible for a public service mission which processes personal data as part of its mission.

2. Treatments whose basic activity is based on regular and systematic monitoring#

The DPO becomes mandatory when the main activity of the organization consists of monitoring people on a regular and systematic basis on a large scale. We are thinking here of activities where the collection and analysis of data are at the heart of the economic model: profiling, behavioral measurement, permanent geolocation, highly structured advertising targeting, or exploitation of customer data on a large scale.

3. Large-scale processing of sensitive data#

The GDPR also targets the large-scale processing of particular catégories of data, such as health data, biometric data, political opinions, religious beliefs, racial or ethnic origin, or even data relating to convictions and offenses.

Speed reading chart#

A common mistake is to believe that only the number of employees triggers the obligation. In practice, size helps to estimate the extent of the treatment, but it does not tell the whole story. A small organization can be very exposed if it processes sensitive data, monitors its users continuously or bases its activity on behavior analysis.

Conversely, a medium-sized company can function very well without mandatory DPO if its processing is more traditional: commercial management, payroll, accounting, supplier monitoring, customer relations and non-intrusive marketing.

Hayot Expertise Advice: the right question is not only "how many people have access to the data?" but "what is the place of data in the business model and in the tools used on a daily basis?"

To decide, it is necessary to analyze the treatment as a whole. The CNIL and the GDPR look in particular at:

• the nature of the activity;
• the frequency of treatments;
• the number of people concerned;
• the volume of data;
• the shelf life;
• the sensitivity of the data;
• the use of subcontractors and SaaS tools;
• the risk for the rights and freedoms of people.

The right questions to ask yourself#

1. Is your data sensitive or quasi-sensitive? 2. Is your core business based on tracking or profiling people? 3. Do you have a lot of HR, health, customer or patient data? 4. Do you use several connected tools that cross-référence information? 5. Are you able to prove your compliance in the event of an inspection?

If one or more responses are worrying, the analysis must be documented and a DPO, internal or external, should be considered, even if the désignation is not imposed automatically.

The DPO is not only a "GDPR referent". Its rôle is precise and useful on a daily basis. He must:

• inform and advise the data controller and employees;
• check compliance with the GDPR and internal rules;
• raise awareness among the teams;
• participate in the impact analysis when necessary;
• serve as a point of contact with the CNIL and with the persons concerned;
• help structure registers, procedures, notices and incident management.

The DPO must also remain independent in the exercise of his mission. In practice, he should not find himself judge and jury, for example by himself validating the purposes or the main means of the processing operations whose compliance he then checks.

The GDPR does not require that the DPO be an employee. In 2026, many SMEs and groups prefer an external or shared solution.

The right choice depends on your GDPR maturity, the volume of data processed and your ability to maintain sustainable governance.

Many companies do not have a formal obligation to designate a DPO, but clearly benefit from doing so. This is often the case when:

• the company uses a CRM, automation or scoring tools;
• HR handles a lot of personal data;
• the activity involves sensitive or recurring customer data;
• the company uses AI, video surveillance or geotracking;
• several subcontractors work on the same data flows;
• management wants to be able to respond quickly to the CNIL, to a client or to an audit.

In these contexts, the DPO acts as a trusted pilot. It does not replace management, but it structures decisions, limits blind spots and avoids discovering problems too late.

Before designing a DPO, or not doing so, keep four reflexes:

• map actual processing;
• identify sensitive data or risky uses;
• check who really decides on the ends and means;
• document your analysis and review it each year.

In 2026, this periodic review is essential: new tools, generative AI, marketing platforms and subcontractors are quickly multiplying the points of attention.

• think only by number of employees;
• confuse DPO and IT manager;
• appoint a DPO without providing him with the means;
• forget to document the analysis of the obligation;
• create a conflict of interest by entrusting the DPO to a person who already decides on the purposes of the processing;
• believe that GDPR software replaces human governance.

<details> <summary>Is DPO mandatory for all companies?</summary> No. The GDPR does not impose a DPO on all companies. The désignation is obligatory especially for public authorities, for large-scale processing which relies on regular and systematic monitoring, and for certain large-scale processing of sensitive data. For other structures, the DPO can remain optional but useful. </details> <details> <summary>Can we design an external DPO?</summary> Yes. The DPO can be internal or external, and it can also be shared between several entities if the organization remains clear. The main thing is that he has the time, information and independence necessary to carry out his mission correctly. </details> <details> <summary>Is there a salary threshold to make DPO mandatory?</summary> No, there is no salary threshold that would be sufficient on its own. The size of the company can give an indication, but it is above all the nature of the processing, their scale, their regularity and the sensitivity of the data that count. </details>

The DPO obligatory or not cannot be decided by feeling. In 2026, the right method consists of starting from your actual processing, checking the GDPR criteria and documenting your choice. If the obligation is fulfilled, a DPO must be designated with real resources. Otherwise, an external DPO or simpler GDPR governance may remain an excellent option.

To complete, see Accounting AI: automate without giving up expertise, How can an independent accountant benefit from a CRM? and Digital accountant.

(Official sources: GDPR - EUR-Lex, CNIL - désignation of a DPO, CNIL - practical guide to DPOs)