The Data Protection Officer was supposed to be the privacy professional’s promised land — a legally protected role with a direct line to the board, immune from retaliation, indispensable to any organization that touches European data. Eight years after GDPR enforcement began, the reality is messier. The job has expanded to absorb AI governance, twenty new US state privacy laws, an EU AI Act with fines exceeding GDPR’s, and cybersecurity regulations like NIS2 and DORA. Compensation has not kept pace with that expansion. In Brazil, 30% of surveyed DPOs report no dedicated budget at all. In the US, the title pays a fraction of what equivalent compliance officers and CISOs earn for narrower remits.
This piece looks at what DPOs actually do in 2026 — the Article 39 baseline, the layers regulators have added on top, the structural problem of independence, and the compensation gap that has turned the role into a stepping stone rather than a destination.
The Article 39 Baseline (and Why It No Longer Describes the Job)
The legal definition of the DPO is narrow and specific. GDPR Article 39 lists six tasks: inform and advise the controller about obligations, monitor compliance, advise on Data Protection Impact Assessments, cooperate with the supervisory authority, act as the contact point for that authority, and consider risk in processing operations. Articles 37 and 38 add the structural requirements — independence, no conflict of interest, direct reporting to the highest level of management, no penalization for performing the role.
Read literally, this is a compliance advisory function. Read in practice, it is the floor of a job that has tripled in scope.
The IAPP’s 2024 Privacy Governance Report found that approximately 70% of European organizations have at least one data protection officer, with an average of three to four full-time DPOs each, while only 40% of North American organizations have a DPO with an average of less than one full-time DPO per organization. The same report documented the scope explosion: among surveyed chief privacy officers, 69% have acquired additional responsibility for AI governance, 69% for data governance and ethics, 37% for cybersecurity regulatory compliance, and 20% for platform liability. More than 80% of privacy teams have gained responsibilities beyond privacy.
The DPO as defined in GDPR Article 39 is not the DPO most organizations actually employ. The actual job description has been quietly rewritten by regulators issuing new mandates and by organizations consolidating governance functions onto the privacy team because it already exists.
What a DPO Actually Does in a Given Quarter
A working DPO in a mid-sized European company spends most of their time on a handful of recurring activities, none of which are glamorous and most of which are invisible to anyone outside the privacy team.
Records of Processing Activities (RoPA) maintenance. Article 30 records are not a one-time deliverable. New systems get adopted, old ones get retired, vendors change, data flows shift, and the RoPA has to track all of it. In practice this means quarterly reviews with every business unit, with the DPO chasing system owners who consider the exercise paperwork.
DPIA review. Any high-risk processing — biometric authentication, employee monitoring, large-scale profiling, AI-driven decision-making — triggers a Data Protection Impact Assessment. The DPO does not run the DPIA but advises on it and, under Article 35(2) of GDPR, must be consulted. With the EU AI Act adding Fundamental Rights Impact Assessments (FRIAs) for high-risk AI deployments, the assessment workload has roughly doubled for any organization deploying AI in HR, finance, healthcare, or public services.
Data subject rights handling. Access, deletion, correction, portability, opt-out. In a consumer business this is a steady stream of requests routed through the DPO’s office for legal sufficiency review. California’s Delete Request and Opt-Out Platform (DROP) went live January 1, 2026, with data brokers required to process centralized deletion requests beginning August 1. That is one new operational integration on top of the per-state opt-out infrastructure already required.
Breach response. GDPR’s 72-hour notification window means the DPO is on call. The actual investigation belongs to security, but the DPO drafts the supervisory authority notification, decides whether the breach is notifiable to data subjects, and absorbs the regulator-facing communication that follows. NIS2 and DORA layer additional incident reporting obligations on top, with their own timelines and recipients.
Vendor and processor oversight. Every Article 28 processor agreement, every Standard Contractual Clauses set for international transfers, every Transfer Impact Assessment after Schrems II — these flow through the DPO. A multinational with hundreds of vendors generates a constant stream of contract review.
Training. GDPR requires staff awareness; the AI Act now requires AI literacy training proportional to employee role and risk. The DPO either delivers this directly or designs the program.
Supervisory authority correspondence. Regulators send questionnaires. They run coordinated enforcement actions — the European Data Protection Board chose the DPO role itself for a 2023 coordinated action. The DPO drafts responses and manages timelines.
What is not on this list: strategic input on whether a product should be built, what data architecture the company adopts, or how the security team prioritizes. The DPO advises; the controller decides. That distinction, written into Article 39 to protect DPO independence, is also the source of the role’s most persistent frustration.
The Independence Problem
GDPR Article 38 is unusually explicit about DPO independence. The DPO must report directly to the highest level of management, must not receive instructions on how to perform tasks, must not be dismissed or penalized for performing the role, and must not have a conflict of interest with other duties. On paper, this is one of the strongest protections any compliance role has under any regulation.
In practice, independence corrodes from below. A 2025 study of more than 200 Brazilian DPOs found that while 66% affirm they have necessary functional independence, one-third report their autonomy is either partially compromised or non-existent — citing pressure to approve high-risk activities or being required to seek prior approval from other directors before acting. The “lone wolf” DPO is common, with 22% of respondents reporting they work entirely alone, and 69% having dedicated privacy teams of five or fewer people.
The reporting line is part of the problem. Nearly half of DPOs surveyed by IAPP sit within their organization’s legal team, just over a quarter sit in regulatory compliance, and a smaller percentage in either privacy and data protection or information security. Each placement creates a different kind of conflict. A DPO inside Legal answers to a General Counsel whose job is to defend the company; a DPO inside Compliance gets folded into the broader compliance machine and loses privacy specificity; a DPO inside Information Security risks being seen as a checkbox for audits rather than an advisor.
The structural tension surfaces in specific recurring scenarios. A product team wants to ship a feature involving large-scale personal data processing; the DPO advises against it on Article 6 lawful basis grounds; the business pushes back; the matter goes to the executive who funds both the product team and the DPO’s headcount. The Article 38 protection against penalization technically applies, but career consequences are subtler than dismissal — the DPO who blocks too many things stops getting invited to the early-stage conversations where their input would actually matter.
Why DPOs Are Underpaid Relative to the Job
The compensation picture in 2026 is fragmented and somewhat contested. Glassdoor’s February 2026 data puts the average US DPO salary at $131,247 per year, with a typical range of $98,435 to $180,503 and 90th percentile earners reporting up to $238,715. Salary.com’s geographic breakdown shows higher figures, with averages around $190,745 in California and $188,203 in Massachusetts. According to Glassdoor, Barclay Simpson, the National Law Review, and IAPP, data protection officers earn an average salary of $94,000, with senior officials at top companies expecting six-figure salaries.
The wider context is what makes these numbers look thin. The IAPP’s 2025–26 Salary and Jobs Report found that half of all respondents working in both privacy and AI governance earn more than $169,700, while half of respondents working solely in a single domain earn less than $123,000 for privacy and $151,800 for AI governance. The cross-domain premium is significant — and it implicitly punishes the DPO who has only been allowed to do the DPO job.
Compare this to adjacent compliance roles. A Chief Information Security Officer in the same company will typically earn between $250,000 and $500,000 in the US for organizations of any size, and the BLS reports information security analysts earned a median of $124,910 in May 2024, with the top 10% over $186,420. A general counsel at a mid-sized public company clears $400,000 in base before equity. A SOX compliance officer at a Fortune 500 firm runs $180,000–$250,000 for a remit narrower than the DPO’s.
The DPO carries personal regulatory exposure (in some jurisdictions), legally protected independence requirements, and a remit that has expanded to cover AI governance, cybersecurity compliance, vendor risk, and a 20-state US privacy patchwork — for compensation that anchors below CISO and often below senior compliance counsel. Three structural factors explain the gap.
The compensation gap is not because privacy is undervalued — privacy adjacent roles pay well. It is because the DPO title, as legally defined, is narrower than where the money is.
The Certifications and Credentials Question
Practitioners trying to maximize earning potential gravitate toward IAPP credentials — CIPP/E for European law, CIPP/US for US state laws, CIPM for program management, CIPT for technical privacy. IAPP’s 2025–26 report found at least 77% of surveyed respondents held at least one IAPP certification, while 39% held multiple certifications, with median salary increasing both with any IAPP qualification and further with multiple qualifications. An IAPP certification produces a median salary uplift of 10–15%.
Whether this represents causation or selection is genuinely contested. Certified practitioners may earn more because the certification adds value, or because the kind of practitioner who pursues certification is also the kind who negotiates harder and works at organizations that pay more. The honest answer is probably some of both.
The CIPM in particular shows up in CISO job requirements increasingly often, which signals that privacy certifications now travel beyond the privacy function — another reminder that purely DPO-shaped careers are less remunerative than DPO-shaped careers with adjacent expansion.
Where the Role Is Heading
Three trajectories are becoming visible.
Consolidation into broader governance roles. Chief Privacy Officer, Chief Trust Officer, Head of Digital Responsibility — titles that absorb the DPO function while adding AI governance, ethics, and sometimes security. The legally mandated DPO role still exists underneath, often filled by a deputy or external service, but the C-suite ownership lives elsewhere.
Externalization for everyone except the largest organizations. External DPO services have become the default for organizations under a few thousand employees. The internal DPO becomes a luxury rather than a baseline, reserved for companies whose data processing risk profile justifies it.
Specialization within large privacy teams. In organizations with 26+ person privacy teams (the European average), the DPO becomes one role among many — sitting alongside privacy engineers, AI governance specialists, regulatory liaisons, and DSAR operations leads. The “DPO does everything” model only persists in mid-sized organizations that cannot fund specialization.
Frequently Asked Questions
Is a DPO required if my company is in the US?
Not under a federal law — there isn’t one. Twenty US states now have comprehensive privacy laws active in 2026, but most do not mandate a named DPO the way GDPR does. They require equivalent functions — DPIA-style assessments, consumer rights handling, vendor oversight — without specifying who performs them. Companies that process EU resident data, however, fall under GDPR’s extraterritorial scope and may need a DPO regardless of where they are headquartered.
Can the same person be DPO and CISO?
Almost always a conflict of interest under GDPR. The CISO defines and implements security controls; the DPO must independently monitor and advise on whether those controls meet legal obligations. The same person filling both roles cannot independently advise on their own decisions. Supervisory authorities have repeatedly flagged this combination as problematic.
Does an external DPO satisfy GDPR?
Yes. Under the GDPR model, the DPO may be an internal employee or an external appointment, but they must have expert knowledge and operate independently to avoid conflicts of interest. External DPOs often have stronger independence in practice because they are insulated from internal politics, though their depth of organizational knowledge is necessarily lower.
Will the DPO role still exist in five years?
In some form, almost certainly — GDPR Articles 37–39 are not changing. But the role’s center of gravity is shifting. The legally mandated function may persist as a discrete title while the actual decision-making and budget authority moves to broader governance roles like Chief Privacy Officer, Chief AI Officer, or Chief Trust Officer. The DPO seat may end up where the Records Manager ended up — required, narrow, and not the career destination it once seemed.
A Realistic Take
The DPO role works best as a chapter in a privacy career, not the whole book. The legal protections are real, the work is intellectually serious, and the regulatory tailwinds are not slowing — twenty US state laws active in 2026, the EU AI Act’s main provisions taking effect August 2, NIS2 and DORA enforcement maturing, and DPDP, PIPL, and LGPD continuing to evolve in their respective jurisdictions. There is more to do than there are people to do it.
What the role does not do well is reward people who stay in it. Practitioners who treat the DPO seat as a launching pad — adding AI governance credentials, working alongside security on NIS2 compliance, building DPIA practices that extend into FRIA territory — outearn the practitioners who let Article 39 define the job. The market has decided that the cross-domain privacy professional is worth more than the pure DPO, and it has decided this with money.
The honest advice for anyone taking a DPO role in 2026 is to read Article 39 carefully, accept it as the floor, and build the ceiling yourself. The regulators have already made the workload bigger. Compensation follows the practitioners who refuse to keep the job small.
