15th May 2026

AI and the expanding role of the DPO

As artificial intelligence becomes more deeply embedded across organisations, the role of the Data Protection Officer is evolving rapidly, writes David O’Sullivan

A man opening a big file folder with a key

Once primarily focused on the European Union’s General Data Protection Regulation (GDPR), privacy notices and breach management, today’s Data Protection Officer (DPO) is increasingly expected to contribute to broader discussions around artificial intelligence (AI) governance, risk management, transparency and accountability.

AI initiatives are accelerating across organisations, often driven by wider digital transformation, vendor-enabled AI functionality and growing organisational pressure to improve efficiency and service delivery.

While adoption is accelerating, however, governance structures are not always keeping pace.

Increasing expectations on DPOs

DPOs are increasingly being asked to review AI-enabled projects, contribute to governance forums, support impact assessments, advise on transparency obligations and help organisations interpret emerging regulatory requirements under the EU’s Artificial Intelligence Act and related legislation.

In many cases, DPOs are becoming the default point of contact for AI-related concerns simply because AI systems are data-driven and often involve personal data processing.

DPOs possess many of the skills needed to support responsible AI deployment, but some organisations are relying too heavily on privacy teams without establishing clear ownership structures for AI governance.

DPOs should support and challenge AI deployment, but they should not become operational owners of AI systems.

Preserving independence

Maintaining DPO independence has emerged as one of the most important governance considerations.

As organisations establish AI steering groups and governance committees, DPOs are increasingly invited to participate. While this involvement is valuable, organisations must ensure that their oversight responsibilities remain clear.

Responsibility for implementation typically rests with IT, digital transformation teams or operational business functions, with information security teams for technical controls.

The DPO’s role remains advisory and oversight-focused, helping organisations identify risks, assess compliance obligations and embed accountability into decision-making processes.

The importance of early involvement

DPOs are often involved too late in AI initiatives with new technologies being selected, piloted or even deployed before privacy teams are consulted.

This can create unnecessary risk and often results in delayed remediation work, additional costs or governance gaps.

Early engagement enables organisations to:

  • Identify privacy and governance risks sooner;
  • Assess transparency and lawful processing requirements;
  • Evaluate potential impacts on individuals’ rights;
  • Support more effective impact assessments; and
  • Establish stronger accountability structures from the outset.

This challenge is not unique to AI projects but the pace and complexity of AI adoption makes early involvement even more critical.

Skills and capability gaps

While AI has existed for decades, organisations are still developing the practical skills needed to govern it effectively.

DPOs often feel expected to assess complex AI-related risks without having the same technical understanding they may possess for more traditional technologies.

There is a need for practical, plain-language training that bridges legal, operational and technical perspectives.

AI literacy cannot sit solely within privacy teams. IT, information security, procurement, legal and operational teams all need a shared understanding of how AI systems function, where risks arise and how governance responsibilities interact.

Responsible approach to AI

The role of the DPO will continue to evolve as AI adoption accelerates. This evolution presents both challenges and opportunities.

Organisations that establish clear governance structures, preserve DPO independence, invest in cross-functional skills and involve privacy expertise early in AI initiatives will be better positioned to deploy AI responsibly while maintaining public trust.

For many organisations, the immediate priority is not simply adopting AI tools, but building the governance foundations needed to support them safely and effectively.

David O’Sullivan is Director of Consulting at Forvis Mazars