Eight years after GDPR entered into force, the DPO function has evolved considerably. Initially focused on maintaining the register of processing activities, it has become a strategic cog in the organisation. But this evolution comes with growing complexity: in 2026, GDPR interacts with around ten other regulations (DORA, NIS 2, AI Act) creating a dense regulatory mesh.
This reality pushes DPOs toward a more collaborative approach. Gone are the days when they could manage their scope alone from an Excel file. Today they orchestrate an ecosystem of internal and external actors, each with their own technical and budgetary constraints. Privacy by Design is no longer optional — it’s an operational necessity requiring adapted tools.
Evolution of the DPO function: from documentation to strategic orchestration
The interconnection between GDPR, NIS 2 and DORA in 2026
The 2026 regulatory landscape requires an integrated view of data governance. NIS 2, applicable to essential and important entities, requires cybersecurity measures that directly overlap with GDPR obligations. DORA, specific to the financial sector, requires operational resilience that impacts customer personal-data management.
For DPOs in affected sectors, each DPIA must now integrate business-continuity and crisis-management considerations. The siloed approach is no longer viable. A security incident can simultaneously trigger notification obligations to the CNIL (72h maximum), to ANSSI and to ACPR depending on the case.
This interconnection justifies adopting a GDPR compliance software capable of managing multiple frameworks. Rather than maintaining three distinct processes, organisations can centralise their obligations on a single platform that automates cross-referencing and avoids duplication.
The DPO as a pivot between technical, legal and business teams
The modern DPO must translate CISO technical requirements into legal obligations understandable by business teams. This translation function is crucial during budget arbitration. When Marketing requests a new CRM integration, the DPO must quickly evaluate impact on legal basis, international transfers and retention periods.
Modern compliance software enables the DPO to create approval workflows involving the CISO on technical aspects and business leads on functional validation. Each stakeholder accesses relevant information without drowning in irrelevant considerations.
Privacy by Design: identifying and removing structural barriers
The persistent operational awareness deficit
Despite years of training, many operational teams don’t grasp the concrete GDPR implications. They apply procedures by habit without understanding underlying risks. This creates dangerous “shortcuts”: excessive data collection, extended retention without justification, or lack of prior analysis for new processing activities.
The DPO’s challenge is making compliance tangible. Instead of annual theoretical training, contextualise risks with sector examples. A bank doesn’t raise awareness like an e-commerce company: data, risks and penalties differ.
Saturation facing data-flow multiplication
The explosion of SaaS tools and generative AI adoption multiply data processing. A DPO can now manage 200-300 projects per year in a mid-sized organisation. This workload makes individual deep analysis of each project impossible.
The risk is double: either the DPO becomes a bottleneck slowing innovation, or applies a superficial approach that lets major non-compliance slip through. The solution: intelligent automation that handles low-risk projects automatically while reserving human expertise for complex cases.
Financial impact and design-cost arbitration
Integrating data protection from design has a cost — encryption, anonymisation, consent-management infrastructure represent 5 to 15% of an IT project budget. This creates budget tensions, particularly in SMEs.
The financial argument for Privacy by Design rests on ROI. A data breach costs on average $4.88 million according to IBM. A CNIL penalty can reach 4% of global revenue. Against these amounts, initial compliance investment becomes negligible.
Cultural transformation and executive support
Privacy by Design transforms how products and services are designed. This cultural shift requires strong executive sponsorship. Without it, the DPO is seen as an innovation obstacle rather than a sustainable-growth enabler.
The transformation requires performance indicators integrating compliance. Instead of only measuring development velocity, teams should be evaluated on their ability to deliver “secure by design” features.
Methodology to involve stakeholders from the start
Early engagement: a project-viability necessity
Involving the DPO at the end of the development cycle multiplies compliance costs by 10 to 30. At that stage, fixing a non-compliant architecture often requires redesigning entire application areas. Early engagement integrates data-protection constraints as normal functional specifications.
Project kick-off must systematically include the DPO and CISO for a preliminary evaluation — a 30-minute meeting that identifies attention points and plans needed deep analyses.
The business case for Privacy by Design
GDPR compliance has become a selection criterion in B2B tenders. Procurement departments now require compliance proofs (certifications, audits, up-to-date registers) before selecting a supplier. This transforms regulatory constraint into a competitive advantage.
Privacy by Design also improves data quality. Minimisation forces teams to reflect on the real utility of each collected data point — cleaner databases, more relevant analyses, better-targeted marketing campaigns.
Structuring an internal network of “Privacy Champions”
“Privacy Champions” are trained employees who relay good practices in their teams. These ambassadors have dual expertise: they master their service’s business stakes and have solid data-protection training. They can resolve 70% of compliance questions without escalating to the DPO.
This organisation multiplies DPO intervention capacity and anchors data culture close to operations.
The operational Privacy by Design framework in 2026
Key phases of a compliant project lifecycle
The Privacy by Design approach follows a 5-phase structured process:
- Initial qualification: determine if the project falls within GDPR scope and evaluate risk level.
- Impact analysis: run a DPIA if needed, identify technical and organisational measures.
- Choice validation: get architecture and security measures approved by DPO and CISO.
- Controlled implementation: verify developments respect security specifications.
- Production release and follow-up: monitor compliance indicators.
Each phase generates documentation feeding accountability.
Automating DPIAs via collaborative workflows
Classic DPIA is a 20-50 page Word document requiring weeks of writing. Modern compliance software transforms DPIA into a dynamic questionnaire adapting to project-lead responses.
This automation divides standard DPIA delivery time by 5 while improving quality. The DPO focuses on high-risk analysis rather than formatting.
Embedding compliance in development pipelines
DevOps teams progressively integrate compliance controls in their deployment chains. Tools like Terraform or Ansible can automatically verify that cloud resources respect encryption and geographical-location standards defined by the DPO.
GDPR checks become unit tests like any other. A deployment fails if personal data isn’t encrypted.
Best practices for agile, collaborative governance
Critical alignment between Procurement, IT and Security
New supplier selection involves three complementary evaluations — financial (Procurement), technical (IT) and regulatory (DPO/CISO). These must run in parallel to avoid discovering non-compliance after contract signing.
Moving beyond an accounting view of the processing register
The register shouldn’t be static — it should become a steering tool that helps make better business decisions. A well-exploited register reveals redundancies, identifies underused data and highlights concentration risks.
The role of centralised third-party management
Third-party management often represents 40-60% of DPO workload. Manual follow-up becomes unmanageable beyond 50 suppliers. Compliance software automates: periodic questionnaire sending, automatic reminders, response consolidation, non-compliance alerts.
Why collaborative compliance software has become essential
Abandoning spreadsheets for dynamic dashboards
Excel remains the most used DPO tool, but it hits limits facing current demands. No workflow management, unreliable change traceability, formula-error risks. These limitations create major operational risks.
Ensuring data sovereignty and action traceability
Traceability is at the heart of GDPR accountability. Every DPO action must be reconstructable during an audit. European cloud solutions like Make IT Safe guarantee compliance data stays under European jurisdiction.
Make IT Safe: centralise cybersecurity and GDPR compliance
Make IT Safe was designed by practitioners to answer concrete DPO and CISO challenges. The platform natively integrates main regulations (GDPR, ISO 27001, NIS 2) and enables unified cyber and regulatory risk management.
Key takeaways
- The DPO function has evolved into strategic orchestration.
- Early engagement divides costs by 10.
- Privacy Champions multiply effectiveness — 70% of questions handled internally.
- DPIA automation changes the game — dynamic questionnaire beats 50-page Word doc.
- Excel creates more risk than it resolves.
- Compliance-data sovereignty matters — European hosting avoids legal complications.
FAQ
Penalties for poor Privacy by Design? Up to €20 million or 4% of global revenue. Beyond financial, the CNIL can impose compliance injunctions with penalties, or temporarily ban the offending processing.
Does compliance software ease CNIL controls? Considerably. The tool instantly provides required elements: up-to-date register, DPIA history, awareness proofs, supplier follow-up.
Does Privacy by Design apply to existing projects? Legally to new or substantially modified processing. In practice, compliance review of critical existing processing is recommended.
How to split roles between DPO and CISO? DPO focuses on legal aspects (legal basis, data-subject rights, retention). CISO brings technical expertise (encryption, access controls, incident detection). Collaborative software enables work on the same risk analysis without duplication.
Does an SME need compliance software? Once the organisation uses 10+ SaaS tools or processes 1000+ customer files per year, manual management becomes risky.
Going further
Start by auditing your current compliance-management tools. If you use more than three Excel files, you’re at risk. Begin by automating one critical process like new-supplier evaluation. In weeks you’ll measure time savings and better traceability.
Finally, anticipate regulatory evolution by choosing a solution capable of handling multiple frameworks simultaneously. The European AI Act will fully apply by 2027, creating new obligations for organisations using AI systems. Equipping yourself now is a strategic investment for the coming decade.
