The privacy and data protection They are no longer secondary aspects of technological development, but a central piece in the design of products and services, user confidence and the legal viability of any business model. In this context, the Data Protection Delegate (DPO) It is consolidated as an essential figure for Technological startupsnot only to comply with the General Data Protection Regulation (RGPD), but to save safely in an increasingly demanding environment in terms of transparency, security and responsibility.

Startups in the eye of the hurricane of the data

Technological startups usually operate in sectors such as Artificial Intelligence, Fintech, Digital Health, Edtech or User Behavior Analysis. These areas share a common characteristic: intensive personal data treatment, often sensitive or subject to continuous monitoring. Despite their size, these companies handle information as delicate as that of any large corporation.

The problem, as they point out from ATICO34 GROUP the thing is, “In the beginning, many of these companies put the rapidity of the effectiveness in regulatory compliance (…) launch an app, capture users or get investment are absolute priorities and therefore they are usually neglected aspects such as the processing of personal data, privacy by design or information security, and that is where the figure of the DPO enters

What exactly does a DPO?

The Data Protection Delegate is responsible for supervising compliance with the General Data Protection Regulation (GDPR), the Organic Data Protection Law and Digital Rights Guarantee (LOPDGDD) and other privacy regulations.

Privacy 4.0: Why should all technological startups hire a data protection delegate?

Ricardo Prada, from the Grupo Atico34 Legal Team in Madrid, one of the most prestigious data protection companies in Spain, defines for Byte magazine which are the main ones Functions of a DPO: “It could be said that there are four basic pillars within the responsibilities of a DPO, which are advising the company on data protection, supervising impact assessments in privacy, acting as a point of contact with the authorities and users and promoting an organizational culture respectful of privacy

Unlike an external consultant or a punctual lawyer, the DPO has a strategic and transversal vision of how the data within the company is managed. Its role is not to block innovation, but to ensure that it is done with legal responsibility and solidity.

AI, Cybersecurity and cybercraft: the new rules of the game

The rise of artificial intelligence has put deep ethical and legal dilemmas on the table. Algorithms that make automated decisions, facial recognition tools or generative models such as text and image require rigorous supervision in terms of privacy.

At the same time, cybersecurity has become a critical priority. In 2024, Spain registered almost 30 million euros in sanctions for breach of the RGPDaffecting large companies, but also startups. Data filtration, lack of consent or exposure of information by design errors are in the center of many of these sanctions.

As if that were not enough, new European regulations such as the Dora Law or the Cyber ​​Records will require companies to demonstrate that they can resist and recover from technological incidents, including those that affect privacy.

Faced with this panorama, the DPO emerges as the pillar that allows to align technology with compliance and trust.

Are the startups forced to have DPO?

According to the GDPR, a company must necessarily designate a DPO if:

  • Its activities imply the usual and systematic monitoring of large -scale personal data.
  • They deal with special data categories (health, sexual orientation, biometry, etc.) or criminal data.
  • They operate as an authority or public body (although in startups it is unusual).

Many technological startups meet at least one of these criteria, although they don’t always know. For example, an app that geolocates users and offers personalized recommendations is already doing massive and systematic treatment.

But even when there is no explicit legal obligation, hiring a DPO is a strategic advantage.

What if not hiring it?

Not having a DPO when it is mandatory can lead sanctions of up to 10 million euros or 2% of the business volume. Beyond the economic, the reputation of a company is seriously damaged after a gap or investigation of the data protection authority. In an ecosystem where trust is a critical asset, negligence is not an option.

And the truth is that there are already numerous companies that have been sanctioned by the AEPD. Glovoapp23, sl was sanctioned with 25,000 euros for not designating a data protection delegate, despite performing mass and systematic treatments of personal data. On the same dates, the company of Conscurity, SL, dedicated to video surveillance services, received a Fine of 50,000 euros For the same reason, since its activity involved the intensive treatment of sensitive data. More recently, A company in the online game sector was sanctioned with 10,000 euros for not having a DPOdespite being obliged by the nature of its digital activity and the continuous monitoring of users.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.