DPO vs Privacy Consultant vs Privacy Counsel

These three roles are often used interchangeably and sometimes overlap, but they are not the same thing under GDPR. The differences matter for legal compliance, attorney privilege, and what kind of work each role can actually do.

This page explains the three roles, when each is required or appropriate, and how companies typically combine them.

The Data Protection Officer (DPO)

The Data Protection Officer is a role defined by GDPR Article 37. The DPO has specific legal duties under Article 39 including monitoring compliance with GDPR, advising the controller on data protection obligations, cooperating with the supervisory authority, and acting as the point of contact for data subjects and regulators.

Under Article 37, you must appoint a DPO if your core activities consist of large-scale processing of special category data (health, biometric, race, religion, sexual orientation, political opinions, trade union membership) or criminal conviction data; your core activities require regular and systematic monitoring of data subjects on a large scale; or you are a public authority or body.

The DPO can be an internal employee or an external service provider under contract. The role can be combined with other duties only where no conflict of interest exists.

Critically, the DPO is not legally responsible for the company's compliance. The controller and processor remain legally responsible. The DPO's role is to advise, monitor, and inform.

The Privacy Consultant

A privacy consultant is anyone who provides privacy advice or services without holding the formal DPO role. Privacy consultants can be highly experienced specialists, but they have no specific legal status under GDPR.

Privacy consultants typically help with privacy program design, gap assessments, policy drafting, training delivery, vendor reviews, DPIA support, breach response planning, and technical privacy implementation work.

A privacy consultant can do most of what a DPO does operationally. What they cannot do is satisfy the formal Article 37 appointment requirement. A company in scope of Article 37 cannot rely on a privacy consultant alone; they need a named DPO.

The relationship between DPO and consultant is often blurred. The DPO function is often delivered by what is in practice a senior privacy consultant who additionally accepts the formal DPO appointment and the legal duties that come with it.

Privacy Counsel

Privacy counsel is a lawyer who provides legal advice on privacy law. This includes interpretation of statutes and case law, advice on litigation risk, preparation of contractual provisions like data processing agreements, response to regulator inquiries with legal privilege protection, and representation in privacy-related disputes.

Privacy counsel is a lawyer first, privacy specialist second. They have a bar admission, they owe attorney duties (including confidentiality and competence), and their advice is typically protected by attorney-client privilege.

What privacy counsel does not typically do is the operational privacy work. Counsel will advise on what the law requires; counsel will not typically build your Records of Processing Activities, fill out your enterprise vendor questionnaires, or run your breach response playbook.

How the roles compare

Which one your company needs

If GDPR Article 37 applies to you, you need a DPO. This is not optional. The DPO can be internal or external.

If you have complex contractual matters (data processing agreements with major vendors, cross-border transfer arrangements, regulator litigation), you need privacy counsel. This is typically a law firm engagement.

If you have a privacy program to build but no formal DPO obligation, a privacy consultant may be sufficient.

Most companies eventually need all three but at different intensities. A typical setup at Series A through Series C:

• A fractional DPO on retainer (handles ongoing compliance, vendor questionnaires, breach response, regulator interactions, RoPA, DPIA). 500 to 5,000 EUR per month.

• Outside privacy counsel on hourly basis for legal opinions, complex contracts, and regulator litigation. 300 to 800 EUR per hour, used as needed.

• Internal privacy program manager or engineer (if at later stage) handles execution. 60,000 to 120,000 EUR per year.

Common pitfalls

Companies sometimes try to use outside privacy counsel as the DPO. This usually creates a conflict of interest under GDPR Article 38(6) because counsel cannot independently monitor compliance while also providing the company's legal defense. Most regulators discourage this configuration.

Companies sometimes appoint an internal employee with no privacy background as DPO to satisfy the Article 37 requirement on paper. This creates risk because the employee cannot perform the required duties, and the company may still face enforcement action for inadequate appointment.

Companies sometimes hire a privacy consultant and assume they have a DPO. They do not. The DPO appointment must be formal, notified to the supervisory authority where required, and accompanied by the legal duties under Article 39.

How Engage Compliance fits

Engage Compliance is a fractional DPO and privacy consultancy. We deliver the DPO function under formal appointment, handle operational privacy work as needed, and coordinate with outside privacy counsel for matters requiring legal advice or attorney privilege.

This is the most common configuration for technology companies at Seed through Series C. You get a senior DPO covering the formal Article 37 role, ongoing operational privacy work, and a clear point of escalation to counsel when needed.

Get started

Book a consultation to discuss what configuration fits your company.