Your DPO Checklist: What Telenor's €350,000 Fine Teaches Us

Having a Data Protection Officer on paper is not the same as having a functioning one. Telenor found this out the hard way. The Norwegian telecommunications company was fined approximately €350,000 by the Norwegian data protection authority, not because they lacked a DPO, but because the role was not set up properly.

Here is what went wrong, who actually needs a DPO, and what getting it right looks like in practice.

What happened at Telenor

Telenor had appointed a DPO. But the Norwegian DPA found several serious problems with how the role was structured.

The DPO's independence was not properly evaluated or documented. The DPO was also serving as in-house legal counsel at the same time, creating a potential conflict of interest that the company had not adequately addressed. The DPO did not have a clear and documented reporting line to senior management, and had been denied access to that management level for over a year. And the DPO did not have the resources needed to do the job properly.

The fine was €350,000. The authority noted that no specific damage to data subjects was identified, which was considered a mitigating factor. Without that, the fine could have been higher.

The message is clear: appointing a DPO is just the beginning. How you set up that role is what determines whether it actually works.

Does your organisation need a DPO?

Not every company is required to appoint one. Under GDPR, a DPO is mandatory if you fall into one of three categories.

You are a public authority or public body. Your core activities involve large-scale, systematic monitoring or profiling of individuals, think online tracking platforms or behavioural advertising. Or you process large amounts of sensitive data, such as health information or data about criminal convictions.

If your company uses AI, operates in health tech, or runs a data-driven platform, it is worth taking a closer look. The threshold may be closer than you think.

What getting it right looks like

If you are required to appoint a DPO, or are choosing to appoint one voluntarily, here is what matters.

No specific diploma is required. There is no mandatory qualification for DPOs under GDPR. Certifications can be useful, but they are not the deciding factor. What matters is genuine expertise in privacy and data protection law.

Experience counts. Your DPO needs to understand privacy in practice, not just in theory. This is not a role for someone who is new to the subject.

No conflict of interest. Your DPO cannot hold a position that conflicts with their data protection role. Combining the DPO function with Legal, IT, or compliance management responsibilities is a known risk area and one that regulators are actively looking at. The Telenor case is a direct example of this.

Give them resources. This means involving the DPO in all decisions that touch on personal data, ensuring they can report directly to the board or senior management, and providing the time, budget, and tools they need to do the job.

Make them visible. Your DPO's contact details should appear in your privacy notice. You should also register them with your national data protection authority.

Internal or external DPO: which is right for you?

Many organisations assume the DPO has to be a full-time employee. That is not the case. An external DPO can be a practical and cost-effective solution, particularly for smaller organisations that want independent expertise without the overhead of a full-time hire.

Here is a quick comparison:

Internal DPO (employee) Benefits: knows your business well. Downsides: higher risk of conflict of interest, may lack deep privacy expertise, usually a higher payroll cost.

External DPO Benefits: strong privacy background, lower conflict of interest risk, cost-effective. Downsides: less internal business context.

For companies using AI, handling sensitive data, or operating in regulated sectors, independence often outweighs the benefits of internal familiarity. An external DPO brings the expertise and separation that makes the role credible with regulators.

For more context on the broader compliance framework that the DPO role sits within, take a look at our post on GDPR for Startups: 3 Things to Focus on First.

Wondering whether your current DPO setup is solid, or whether you actually need one in the first place? Get in touch and we will take a look together.

We take great care in providing information to you, but please be aware of the fact that these blogposts can not be considered a substitute for professional legal advice, nor do they create an attorney-client relationship.