AHKORIS
← Back to resources

Guides

DPO guide: when to appoint, what to cover and how to maintain evidence

The decision to appoint or not appoint a DPO should be justified. It is not enough to look at company size: organisations must assess core activities, scale, data processed, monitoring, risk and expectations from clients or regulators.

By Ahkoris Lda · Updated 21 May 2026 · Practical experience in privacy, audit, risk and compliance.

When the question should be assessed

The analysis is relevant when there is regular processing of personal data, sensitive data operations, systematic monitoring, services to regulated entities, recurring client requests or insufficient internal privacy expertise.

Even when appointment is not mandatory, structured external support may be useful for governance, documentation and operational response.

What a DPO or external support can cover

  • Recurring advice to management and operational teams.
  • Review of policies, procedures and records.
  • Support for data subject requests, incidents and impact assessments.
  • Evidence preparation and reporting.
  • Contact with the supervisory authority when applicable.
  • Independence, judgement and documentation of decisions.

Common mistakes

Appointing someone only on paper, without time, autonomy or sufficient expertise, creates a false sense of security. It is also risky not to document a decision not to appoint a DPO when risk signals or client requirements exist.

The role should be connected to operations: procurement, HR, marketing, IT, security, legal and management should know when privacy must be involved.

How Ahkoris can support

Ahkoris provides DPO as a Service, recurring privacy support, diagnostics, documentation, response to data subjects and incidents, evidence preparation and management advice.

Sources and regulatory context

Related reading

DPO as a ServiceGDPR ConsultingDoes my company need a DPO?

Want to turn this topic into a concrete plan?

Book a diagnostic