The Data Protection Officer (DPO) and Professional Indemnity

The Data Protection Officer, or DPO, is a new position created as a result of the GDPR. Companies employ a DPO to protect themselves and to comply with this new legislation. But what insurance protects the DPO?

The Data Protection Officer (DPO) and Professional Indemnity

The Responsibilities of a DPO (Data Protection Officer)

With the entry into force of the GDPR (a law which protects personal data) on 25 May 2018, many companies are required by law to employ a Data Protection Officer (DPO) or to engage an external DPO. Some of the duties carried out by a DPO are:

• Being responsible for the general data protection strategy.
Giving information and advising the firm about how to meet GDPR requirements.
• Acting as the first point of contact when government bodies carry out GDPR checks. This means the DPO must maintain data on actions taken relating to GDPR.

This means the DPO acts mainly as a consultant and compliance officer for the protection of personal data. But what happens if the DPO makes a mistake? Who protects them?

'Internal' Data Protection Officer vs 'external' consultant

Firms appointing a DPO have two options:

• They can opt to appoint an employee as the DPO internally if the employee is qualified for the position.
• Or, the firm can choose to hire an external consultant as their Data Protection Officer.

The main difference between both of these parties is the responsibility in their duties. An internal DPO is fully covered by the firm’s liability insurance. However, an external DPO can be held liable for any malpractice. In the section below, we set out briefly how the DPO can be covered against this.

How an external DPO can be protected

First and foremost, it is important to know that if a firm does not comply with the GDPR, the DPO cannot be held to bear ultimate responsibility. In such cases, the liability rests fully with the firm.

However, the Data Protection Officer must be protected against duties indirectly relating to the GDPR and for which clients may hold the DPO liable.

By taking out a professional indemnity insurance policy with the right data protection nuances, DPOs are protected against any intellectual malpractice when carrying out their activities.

Some practical examples

A survey of various insurers showed the following examples of situations where professional indemnity insurance can step in to protect a DPO. Please note that these cases are examples. Each case is different and is reviewed and assessed individually by the relevant experts.

● In the customer’s privacy policy, the DPO gives wrong advice meaning customer data are leaked.

● The DPO holds various important customer data processing data and loses them.

● The customer suffers a financial loss due to wrong advice on the GDPR and data processing.

● The DPO develops an entire software system for data processing, and the customer loses data during a software upgrade.

Do you need professional indemnity insurance as a DPO?

Whether you are already a Data Protection Officer or plan to expand your activities and would like some advice on how to best protect yourself, feel free to contact us on +32 (0)3 217 67 53 or We’ll be happy to help.

Jesse Mertens

Wij zijn er voor u.

Subscribe to our newsletter.