Our DPO Just Left: How to Cover the Gap

Your DPO has resigned, been laid off, or otherwise departed. You have a gap in a role that GDPR Article 37 may require you to fill. Enterprise customers and regulators expect a named DPO to be in place. The work that DPO was doing has not stopped because they left.

This page covers what to do in the days and weeks after your DPO departs, including immediate steps, interim coverage options, and how to handle regulator notification.

Key takeaways

If GDPR Article 37 required you to have a DPO, you must have one continuously, though supervisory authorities generally tolerate a brief gap of a few weeks during a transition.
If your previous DPO was notified to a supervisory authority, you must notify the authority of the change, typically including the departure date and the successor or interim arrangement.
The three interim coverage options are an internal interim appointee, an outsourced DPO on permanent basis, or an outsourced DPO as a bridge during recruitment.
Most outsourced DPO providers can engage within one to two weeks, and for urgent needs some (including us) can start within 48 to 72 hours.
We provide rapid-start outsourced DPO services for interim and permanent coverage, with supervisory authority notification handled as part of onboarding.

The legal position

If GDPR Article 37 required you to have a DPO, you are required to have one continuously. There is no formal grace period during which a vacancy is permitted. Practically, supervisory authorities understand that transitions happen and a brief gap (a few weeks) during a transition is generally tolerated. But an extended vacancy can become a compliance issue, particularly if a breach or other event happens during the gap.

If your previous DPO was notified to a supervisory authority, you must notify the authority of the change. The exact requirements vary by member state but typically include the date of departure and the name of the successor or interim arrangement.

Immediate steps (Week 1)

Conduct a knowledge transfer with the departing DPO if possible. The most important items to document are: ongoing matters with the supervisory authority, open data subject access requests, ongoing vendor reviews, status of any active or pending breaches, pending DPIAs, status of compliance program documentation, and key relationships with internal stakeholders.

Identify what work is in flight and what is at risk of dropping. Common items that slip during DPO transitions: enterprise vendor security questionnaires (sales teams suffer), data subject rights requests (regulatory and reputational risk), breach response readiness (operational risk), and vendor DPA reviews (commercial risk).

Designate an interim contact for privacy matters internally. Even before you have a permanent or outsourced replacement, someone needs to be the privacy point of contact so that internal stakeholders and external requests do not go unanswered.

Interim coverage options

There are three realistic options for covering the gap, with different trade-offs:

Option 1: Internal interim. Appoint an internal employee (typically from legal, compliance, or security) as interim DPO while you recruit a permanent replacement. Pros: low cost, fast to implement. Cons: the interim person is often not qualified for the role and the company carries unmitigated compliance risk during their tenure. This works if the gap is short (under 6 weeks) and the company has limited privacy obligations.

Option 2: Outsourced DPO on permanent basis. Replace the full-time role entirely with an outsourced DPO service. Pros: lower cost than full-time, senior expertise, fast to implement. Cons: less embedded in company culture. This works particularly well for companies where the privacy workload is variable and the long-term need does not justify a full-time hire.

An outsourced DPO is a senior data protection expert who manages your entire privacy compliance program: building policies, handling data subject requests, managing vendor risk, supporting enterprise deals, responding to breaches, and engaging with regulators on your behalf. This service is variously referred to as external DPO, virtual DPO, fractional DPO, or DPaaS (DPO as a Service). All four terms refer to the same service model: a qualified Data Protection Officer provided by an external firm on a retainer basis, rather than a full-time employee.

Option 3: Outsourced DPO as bridge. Engage an outsourced DPO immediately for interim coverage while you recruit a permanent replacement. Pros: no compliance gap, senior expertise during transition, the outsourced provider can help with the recruitment and onboarding. Cons: requires a second transition when the permanent hire arrives. This is the most common pattern for companies that have decided they want a full-time DPO long term.

How fast can an outsourced DPO start?

Most outsourced DPO providers can engage within one to two weeks of contract signature for established companies. For urgent needs, some providers (including Engage Compliance) can start within 48 to 72 hours.

The starting work typically includes: review of current state of compliance documentation, identification of immediate priorities (active matters, pending deadlines, in-flight transactions), notification to supervisory authority of the DPO change, and stabilization of in-flight matters.

Notifying the supervisory authority

If your previous DPO was formally notified to a supervisory authority, you must notify the authority of the change. Specific requirements vary:

Netherlands (Autoriteit Persoonsgegevens): Update your DPO notification via the AP website. New DPO details must be submitted within reasonable time.
UK (ICO): Update your DPO contact details in your ICO registration.
Ireland (DPC): Update your DPO contact through the DPC notification system.
Germany: Update with the relevant Land supervisory authority depending on your seat.

Most authorities have online portals or forms for these updates. Engage Compliance handles these notifications as part of outsourced DPO onboarding.

What to tell customers and partners

Enterprise customers and partners who have your DPO listed as their privacy contact need to know about the change. Do not wait for them to discover via bounced email.

A brief professional notice is appropriate: “Our previous DPO has departed. Privacy matters can be directed to [new DPO email]. We have appointed [name/firm] as our new DPO effective [date].”

If you engage an outsourced DPO, the provider becomes your formal DPO. The provider’s contact information should replace your previous DPO’s in your privacy notice, your data processing agreements, and your vendor questionnaire responses.

Preventing this from happening again

DPO departures are a known risk. Some practical risk mitigations:

Document thoroughly while your DPO is in role. RoPA, DPIA, breach playbook, vendor list, ongoing matters log. This makes any transition (planned or unplanned) much smoother.
Avoid making your DPO a single point of failure. Even a full-time in-house DPO should have a documented backup contact and a clear escalation path during their absence.
Consider whether an outsourced or hybrid model fits better for your stage. Outsourced DPO providers do not “leave” in the same way an employee does; if the relationship needs to change, the outsourced provider helps transition the work.

How Engage Compliance helps

We provide rapid-start outsourced DPO services specifically suited to interim and permanent coverage of a vacated DPO role. Typical engagement within one week, with formal supervisory authority notification handled as part of onboarding.

Engage Compliance has supported multiple companies through DPO transitions, both as bridge coverage during a permanent recruitment and as permanent outsourced coverage replacing the in-house role.

Industries we cover

Get started

If your DPO has just left and you need coverage urgently, book a consultation. We can typically engage within one week, sometimes faster.

This page is general information, not legal advice.

Free risk assessment Book a free intro call

FAQ

Frequently asked questions

Are we breaking the law during the gap between DPOs?

If GDPR Article 37 required you to have a DPO, you are required to have one continuously, and there is no formal grace period. In practice supervisory authorities understand that transitions happen and generally tolerate a brief gap of a few weeks, but an extended vacancy can become a compliance issue, particularly if a breach or other event happens during the gap.

Do we have to tell the regulator our DPO left?

Yes, if your previous DPO was notified to a supervisory authority. You must notify the authority of the change, typically including the departure date and the name of the successor or interim arrangement. We handle these notifications as part of outsourced DPO onboarding.

How fast can a replacement DPO actually start?

Most outsourced DPO providers can engage within one to two weeks of contract signature, and for urgent needs some providers, including us, can start within 48 to 72 hours. The starting work covers a review of current compliance documentation, identification of immediate priorities and deadlines, supervisory authority notification of the change, and stabilization of in-flight matters.

Should we just appoint someone internal as interim DPO?

An internal interim appointee works if the gap is short, under about six weeks, and the company has limited privacy obligations, but the interim person is often not qualified and the company carries unmitigated risk during their tenure. The two alternatives are an outsourced DPO on a permanent basis or an outsourced DPO as a bridge during recruitment.

What do we tell customers who had our old DPO as their contact?

Notify enterprise customers and partners who listed your DPO as their privacy contact rather than letting them discover it through bounced email. A brief professional notice is appropriate, and the new DPO contact information should replace the previous one in your privacy notice, your data processing agreements, and your vendor questionnaire responses.