Why Prospects Ask for Your DPO Even When the Law Doesn't

When GDPR first rolled out, most of us spent significant time with legal counsel running through checklists to see if we were actually required to appoint a Data Protection Officer. Many organisations (rightly so) concluded they didn't meet the specific regulatory threshold and decided not to formalise the role.

However, there is a massive gap between what the law mandates and what the market expects.

Lately, I’ve noticed a shift in how vendor risk assessments are handled. It’s no longer just about checking a box for cybersecurity controls or business continuity. Prospects, investors, and partners are digging into operational maturity, and their favourite litmus test is asking for the DPO’s contact information and qualifications.

If you have to explain that you haven't appointed one because you aren't "legally required" to, the conversation gets awkward quickly. It signals that you might be doing the bare minimum for compliance rather than building privacy into your operations by design.

In my view, whether you have a named DPO or not, you are still managing sensitive data. The organisations that win more deals are the ones that treat privacy as a trust signal. Having a qualified, named person in that role removes friction during due diligence and proves to your board that you’re taking a proactive, rather than reactive, approach to data protection.