AI Officer and DPO
We are living through a genuine artificial intelligence boom. This is not merely a buzzword, but an accurate description of reality. In just a few years, AI has moved from a barely used and largely unknown technology to the general public to an everyday tool that millions of people encounter daily: at work, at school, in personal activities and when searching for information.
Rapid Development of AI and Its Impact on Data Protection
The numbers tell the story clearly. According to an analysis by the Microsoft AI Economy Institute, approximately 16% of the world’s population uses AI in 2025. A remarkably fast adoption rate for such a young technology. Businesses are not lagging behind: OECD data show that roughly one in five companies is actively deploying AI, and that share is growing rapidly. The financial stakes are equally significant: the global AI market is valued at around $390 billion and is expanding by tens of percent each year.
From a data protection perspective, it is important to note that AI tools, large language models in particular, require existing regulation to be applied to a fundamentally new reality. AI tools enable faster and more complex data processing, are better at finding connections and re-identifying seemingly anonymised individuals and can both strengthen and automate cybersecurity while simultaneously making sophisticated attack methods more accessible. When deploying any AI tool or component, every organisation should therefore assess the impact that tool will have on how data is used and protected, and on compliance with the related legal and regulatory obligations.
AI and Law
What legal frameworks typically apply when deploying AI?
- The AI Act sets out a comprehensive regulatory framework governing the development and use of AI, the risk classification of specific use cases, and the obligations of the parties involved.
- The development, training, deployment and ongoing monitoring of AI very frequently involves the processing of personal data, which means GDPR and related data processing rules, such as the ePrivacy Directive, also apply.
- Integrating an AI system into an organisation’s infrastructure affects its operational resilience and cybersecurity. Organisations should therefore address AI adoption from a general liability perspective as well as under applicable cybersecurity regulation (NIS2 Directive, DORA, CER Directive, Cyber Resilience Act (CRA), and so on), or where such compliance is required by their customers.
- The use of AI in specific sectors may be subject to additional sector-specific requirements, whether directly targeting AI tools (for example, in healthcare under the MDR and IVDR Regulations, or documentation and audit-trail requirements under financial regulation) or addressing their integration into products and services.
- AI use also carries a range of private law implications, from copyright questions and risks associated with using a particular model and its outputs, to liability where AI provides factually incorrect answers to end users (including consumer protection considerations, since end users will often be consumers).
Each organisation should assess which legal obligations are relevant to its specific AI use case and address them accordingly. A risk-based approach to address those risks is necessary to be able to react quickly and efficiently.
Two Approaches to AI Risk Assessment
How does the relevant regulation treat the concept of risk in relation to AI?
It is important to draw a clear distinction between the approach to risk assessment under the AI Act and GDPR on the one hand and under cybersecurity, critical infrastructure or general financial or operational risk management frameworks on the other.
In conventional risk management, severity is assessed from the organisation’s perspective: how severe is the risk to the organisation itself? Under the AI Act and GDPR, by contrast, risk is assessed primarily from the perspective of the affected individual and the potential impact on their rights. A particular activity, tool or security incident may pose very little risk to the organisation with limited negative consequences for the organisation itself yet still qualify as high-risk under the AI Act or GDPR because the potential impact on the rights of even a small number of natural persons may be severe.
When assessing AI-related risks and designing an AI governance framework, both dimensions must be taken into account: the risks to the organisation of (not) implementing AI and the risks to affected individuals arising from the use of AI for specific activities. The governance framework should primarily address the most serious risks across both categories.
Not All AI Officers Are the Same
Many organisations today are approaching artificial intelligence adoption in a structured way and are appointing a dedicated person for this agenda, most commonly under the title of AI Officer. That step is, in itself, unquestionably the right one. The problem arises when an organisation does not think carefully enough about what role that person is actually expected to play.
The position can be conceived in two fundamentally different ways. In the first one, the AI Officer is the person who champions and drives AI adoption within the organisation: coordinating deployment, supporting individual departments and leading the organisation-wide rollout. In the second, the AI Officer is the person whose task is to oversee and control AI use, ensure the technology is deployed responsibly, manage the related risks and guarantee compliance with regulatory and ethical requirements. This encompasses both the relatively robust compliance obligations that apply to high-risk AI systems and the general AI literacy obligation under Article 4 AI Act, as well as other legal obligations related to AI deployment.
These two conceptions are fundamentally at odds with each other and pursue mutually incompatible goals. The first points towards rapid adoption and maximising AI’s potential; the second requires caution, critical distance and a focus on risk management and compliance requirements. Merging both agendas into a single role creates a de facto conflict of interest and will, in practice, push one or the other into the background.
When speaking of the AI Officer as someone who, with a degree of independence, sets the rules and oversees responsible AI use, the comparison with the role of the data protection officer (DPO) under GDPR is evident. The parallels between the AI Act and GDPR are, in fact, numerous, including the risk assessment approach described above and the requirement to carry out an impact assessment for new activities or processes: the Data Protection Impact Assessment (DPIA) under Article 35 GDPR, and the Fundamental Rights Impact Assessment (FRIA) under Article 27 AI Act.
For these reasons, we believe it is appropriate to separate the two roles mentioned above: to appoint one person as the “AI evangelist” responsible for driving AI adoption, and another as the “AI governance/compliance officer” responsible for ensuring that AI is implemented correctly and in accordance with all applicable rules and in an ethical way.
The vast majority of companies and public authorities lack the capacity and resources to dedicate a full-time employee solely to the governance role and, indeed, it may well not require a full-time commitment. The question then becomes: who within the organisation is best placed to take on this role in a way that complements rather than conflicts with their existing responsibilities? The data protection officer is the natural candidate.
Current Role of Data Protection Officer
The data protection officer is a person designated by a controller or processor whose primary tasks include providing advice on personal data processing questions, conducting internal training on GDPR requirements, monitoring compliance with the GDPR, and cooperating with the supervisory authority as set out in Article 39 GDPR. Designation is not mandatory for all controllers and processors, but any of them may choose to appoint a DPO voluntarily.
The categories of controllers and processors required to designate a DPO are defined in Article 37 GDPR: organisations carrying out large-scale processing of personal data, organisations systematically processing special categories of data (such as health data), and public authorities. It is reasonable to expect that many of the entities required to designate a DPO will also be among the first to deploy AI systems at scale.
From the perspective of overseeing responsible AI use, the DPO already holds several structural advantages by virtue of their defined position under the GDPR.
First, the DPO enjoys a degree of independence from the organisation’s internal hierarchy. Article 38(3) GDPR requires that controllers and processors ensure the DPO does not receive any instructions regarding the performance of their tasks. The DPO thus functions as a largely independent check, ensuring that personal data processing is conducted lawfully and correctly. This is reinforced by the requirement that the DPO must be able to report directly to the highest level of management, meaning the DPO always has access to senior leadership and can raise concerns about problematic aspects of processing directly (Article 38(3) GDPR).
The DPO must also have access to personal data and processing operations, and the controller or processor is required to involve the DPO properly and in a timely manner in all matters relating to the protection of personal data (Article 38(1) and (2) GDPR). Equally important is the right of data subjects to contact the DPO directly on all matters relating to the processing of their personal data and the exercise of their rights under the GDPR (Article 38(4) GDPR).
This DPO involvement in AI oversight is not merely analogical, the AI Act explicitly requires it in some situations. Pursuant to Article 27(5) AI Act, deployers carrying out a Fundamental Rights Impact Assessment for a high-risk AI system are required to involve the data protection officer, where applicable.
Within the organisation’s risk management model, the DPO represents a classic example of the second line of defence (after the management itself).
Personal data processing today runs through virtually every aspect of organisational operations. As a result, the DPO typically has a thorough understanding of the organisation’s internal processes, even those not primarily focused on data processing. At the same time, the use of AI systems (and machine learning more broadly) is an important factor in the DPO’s own risk assessments. Monitoring the extent to which AI is being used within the organisation is therefore essential to the DPO’s core function.
Comparing the DPO and the AI Governance Officer
The table below offers a general comparison of the key aspects of both roles. It should be noted that sector-specific or product regulation may impose additional requirements on the relevant processes and individuals.
| Area | DPO under GDPR | AI compliance officer / AI governance officer |
| Legal basis of the role | Expressly provided for in Articles 37–39 GDPR. Mandatory designation in the cases set out in Article 37 GDPR. | Not an expressly regulated role under the AI Act. It is an internal compliance and governance function derived from the obligations under the AI Act (particularly for high-risk AI systems under Articles 9 and 26 AI Act) and the organisation’s general accountability. |
| Primary purpose | Independent advice, training, oversight and monitoring of GDPR compliance; point of contact for supervisory authorities and data subjects. | Ensuring procedural, legal and (where relevant) technical oversight of the lawful and ethical deployment and use of AI systems. For high-risk AI systems, managing compliance with the requirements of the AI Act. |
| Hard skills – law and compliance | GDPR and related national legislation, ePrivacy Directive, employee monitoring under labour law, consumer law. Relevant sector-specific regulation. Cybersecurity. AI Act. | AI Act, relevant product or sector-specific regulation. Consumer law, labour law, and in the context of training data also copyright law. Cybersecurity. GDPR and other data protection rules. |
| Hard skills – technical | Practical understanding of processing operations: data flows, system architecture, security measures, and so on. | Similar to the DPO, plus technical knowledge specific to AI systems: training/validation/test data, bias, AI-specific risks, the “black box” problem, and so on. |
| Hard skills – documentation | Ability to maintain and review records of processing activities, DPIAs, balancing tests, contracts, records of personal data breaches, and internal policies. | Ability to maintain and review an AI inventory and related documentation, contracts with other parties involved, FRIAs, and internal policies. |
| Soft skills | Independence, ability to deliver unwelcome conclusions, communication skills, confidentiality, trustworthiness. Ability to lead multidisciplinary dialogue across departments. | Similar to the DPO. |
| Position in the organisation | Must be properly and timely involved in all data protection matters, must have adequate resources and access to data and operations, must not receive instructions regarding their tasks, must not be penalised for performing their role, and must be able to report directly to top management (Article 38(1)–(3) GDPR). | Similar to the DPO, without statutory backing for those protections. |
| Relationship to decision-making | Advisory and monitoring function, not decision-making on processing operations. Conflicts of interest must be prevented (Article 38(6) GDPR). | Greater flexibility in the absence of a statutory definition, but at least for high-risk AI systems this is constrained by the requirements for robust risk management and compliance quality, from which similar expectations can be inferred as for the DPO and for control functions in general (second line of defence). |
It is important to emphasise the nature of both governance frameworks under GDPR and under the AI Act as general compliance systems. This explains their procedural and methodological similarities, as well as the need to apply comparable requirements to the DPO and the AI governance officer in their shared role as second-line-of-defence functions.
The prevention of conflicts of interest is central to both. A data protection officer cannot make decisions about personal data processing, its purpose, scope, retention periods or security measures, because doing so would objectively compromise their ability to review those decisions independently and verify compliance with the GDPR. Equally, if the AI Officer (in the “AI evangelist” sense) is the one setting the direction for AI use within the organisation, coordinating its deployment or making decisions about it, that same person cannot simultaneously act as the independent overseer ensuring that AI is used legally and ethically.
As the table makes clear, the tasks of the DPO and the AI governance officer will in many cases overlap or at least complement each other, as will the required hard and soft skills. For many organisations seeking to ensure AI compliance, the question of whether to assign the AI governance officer role to the existing DPO will be an obvious first option. There are, of course, situations in which separating the roles will be more appropriate, particularly where the DPO would, for practical or capacity reasons, be unable to adequately perform the AI governance function as well. As a general matter, however, combining these two areas is both coherent and advantageous for the organisation.
Obstacles to Combining Both Roles
There are no statutory obstacles to holding both roles simultaneously. No legislation expressly addresses the concurrent performance of the DPO and AI governance officer roles.
The GDPR addresses the concurrent performance of roles under the conflict of interest provisions in Article 38(6) GDPR, which states: “The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.” The AI Act does not expressly prohibit a dual mandate, nor does it expressly contemplate one. It simply proceeds on the assumption that the GDPR applies in parallel and that the GDPR’s requirements must be met in all circumstances.
Provided the limits set out in Article 38(6) GDPR are observed, there is no obstacle to the concurrent performance of both functions.
For illustrative examples of conflicts of interest for the DPO, we refer to the guidelines on data protection officers issued by the Article 29 Working Party (WP29), as endorsed by the European Data Protection Board (EDPB) (https://ec.europa.eu/newsroom/article29/items/612048) . Those guidelines identify senior management positions such as CEO, COO, CFO, head of marketing, head of HR or head of IT as roles that would typically be incompatible with the DPO function, as well as any other position that involves determining the purposes and means of processing. A conflict of interest may also arise, for example, where an external DPO is asked to represent the controller or processor before the courts in cases involving data protection matters.
The WP29 guidelines recommend, as good practice, that organisations identify the positions incompatible with the DPO role, draw up internal rules to prevent conflicts of interest, and ensure that vacancy notices or service contracts for the DPO position are sufficiently precise to avoid such conflicts from the outset. It is also noted that conflicts of interest may take different forms depending on whether the DPO is appointed internally or externally.
Conclusion
The tasks of the DPO and the AI governance officer frequently complement or directly overlap with each other, even if they are not fully identical. The same is largely true of the hard and soft skills both roles require. An organisation with a capable and experienced DPO has someone who can establish and maintain compliance processes, manage data governance, assess risks to individuals, review automated data processing, and scrutinise contracts with vendors involved in (automated) data processing; skills that map directly onto the requirements of Article 9 AI Act (risk management for high-risk AI systems) and Article 26 AI Act (deployer obligations). That person also typically has in-depth knowledge of the organisation and is often one of the few people with a comprehensive overview of its processes and data flows.
When building an effective AI compliance programme, it would be a missed opportunity not to consider involving the DPO as the AI governance officer or as part of a broader AI governance team. In many cases, the DPO will be the ideal candidate to take on responsibility for ensuring compliance with the AI Act.
Vladan Rámiš, Chair of the Committee of the Association for Personal Data Protection (Czech Republic)
František Nonnemann, Vice-Chair of the Committee of the Association for Personal Data Protection (Czech Republic)
