Our DPO Just Left. Now What?

Your DPO has resigned, been laid off, or otherwise departed. You have a gap in a role that GDPR Article 37 may require you to fill. Enterprise customers and regulators expect a named DPO to be in place. The work that DPO was doing has not stopped because they left.

This page covers what to do in the days and weeks after your DPO departs, including immediate steps, interim coverage options, and how to handle regulator notification.

The legal position

If GDPR Article 37 required you to have a DPO, you are required to have one continuously. There is no formal grace period during which a vacancy is permitted. Practically, supervisory authorities understand that transitions happen and a brief gap (a few weeks) during a transition is generally tolerated. But an extended vacancy can become a compliance issue, particularly if a breach or other event happens during the gap.

If your previous DPO was registered with a supervisory authority, you must notify the authority of the change. The exact requirements vary by member state but typically include the date of departure and the name of the successor or interim arrangement.

Immediate steps (Week 1)

Conduct a knowledge transfer with the departing DPO if possible. The most important items to document are: ongoing matters with the supervisory authority, open data subject access requests, ongoing vendor reviews, status of any active or pending breaches, pending DPIAs, status of compliance program documentation, and key relationships with internal stakeholders.

Identify what work is in flight and what is at risk of dropping. Common items that slip during DPO transitions: enterprise vendor security questionnaires (sales teams suffer), data subject rights requests (regulatory and reputational risk), breach response readiness (operational risk), and vendor DPA reviews (commercial risk).

Designate an interim contact for privacy matters internally. Even before you have a permanent or fractional replacement, someone needs to be the privacy point of contact so that internal stakeholders and external requests do not go unanswered.

Interim coverage options

There are three realistic options for covering the gap, with different trade-offs:

Option 1: Internal interim. Appoint an internal employee (typically from legal, compliance, or security) as interim DPO while you recruit a permanent replacement. Pros: low cost, fast to implement. Cons: the interim person is often not qualified for the role and the company carries unmitigated compliance risk during their tenure. This works if the gap is short (under 6 weeks) and the company has limited privacy obligations.

Option 2: Fractional DPO on permanent basis. Replace the full-time role entirely with a fractional DPO service. Pros: lower cost than full-time, senior expertise, fast to implement. Cons: less embedded in company culture. This works particularly well for companies where the privacy workload is variable and the long-term need does not justify a full-time hire.

Option 3: Fractional DPO as bridge. Engage a fractional DPO immediately for interim coverage while you recruit a permanent replacement. Pros: no compliance gap, senior expertise during transition, fractional provider can help with the recruitment and onboarding. Cons: requires a second transition when the permanent hire arrives. This is the most common pattern for companies that have decided they want a full-time DPO long term.

How fast can a fractional DPO start?

Most fractional DPO providers can engage within one to two weeks of contract signature for established companies. For urgent needs, some providers (including Engage Compliance) can start within 48 to 72 hours.

The starting work typically includes: review of current state of compliance documentation, identification of immediate priorities (active matters, pending deadlines, in-flight transactions), notification to supervisory authority of the DPO change, and stabilization of in-flight matters.

Notifying the supervisory authority

If your previous DPO was formally registered with a supervisory authority, you must notify the authority of the change. Specific requirements vary:

Netherlands (Autoriteit Persoonsgegevens): Update your DPO registration via the AP website. New DPO details must be submitted within reasonable time.

UK (ICO): Update your DPO contact details in your ICO registration.

Ireland (DPC): Update your DPO contact through the DPC notification system.

Germany: Update with the relevant Land supervisory authority depending on your seat.

Most authorities have online portals or forms for these updates. Engage Compliance handles these notifications as part of fractional DPO onboarding.

What to tell customers and partners

Enterprise customers and partners who have your DPO listed as their privacy contact need to know about the change. Do not wait for them to discover via bounced email.

A brief professional notice is appropriate: "Our previous DPO has departed. Privacy matters can be directed to [new DPO email]. We have appointed [name/firm] as our new DPO effective [date]."

If you engage a fractional DPO, the provider becomes your formal DPO. The provider's contact information should replace your previous DPO's in your privacy notice, your data processing agreements, and your vendor questionnaire responses.

Preventing this from happening again

DPO departures are a known risk. Some practical risk mitigations:

Document thoroughly while your DPO is in role. RoPA, DPIA, breach playbook, vendor list, ongoing matters log. This makes any transition (planned or unplanned) much smoother.

Avoid making your DPO a single point of failure. Even a full-time in-house DPO should have a documented backup contact and a clear escalation path during their absence.

Consider whether a fractional or hybrid model fits better for your stage. Fractional DPO providers do not "leave" in the same way an employee does; if the relationship needs to change, the fractional provider helps transition the work.

How Engage Compliance helps

We provide rapid-start fractional DPO services specifically suited to interim and permanent coverage of a vacated DPO role. Typical engagement within one week, with formal supervisory authority notification handled as part of onboarding.

Engage Compliance has supported multiple companies through DPO transitions, both as bridge coverage during a permanent recruitment and as permanent fractional coverage replacing the in-house role.

Get started

If your DPO has just left and you need coverage urgently, book a consultation. We can typically engage within one week, sometimes faster.