Rob Masson has always been seeing new business opportunities. “You are never an entrepreneur, you’re just always in practice,” he says.  His first venture was a software business that he started as an 18-year-old at college. At the dawn of the internet age,  he started a web development agency and built e-commerce systems. And four years ago, as he was in the earn-out period after exiting the agency, he saw another big opportunity – in data protection.

There was confusion and misconceptions as to what organisations were required to do prior to GDPR coming into force on 25 May 2018, with a massive ensuing demand for consultancy and presentations. 

But Masson saw that once GDPR was in place, demand would switch to finding people with the skills and knowledge about data protection. “The UK market alone was going to require in excess of 15,000 data protection officers to meet the new regulatory requirements, but there were only around 5,000 in existence.”

The DPO Centre, which he founded in 2017, places data protection officers (DPOs) on a fractional basis – anywhere between one to eight days per month – into companies. And it took off from 26 May 2018, when GDPR became law. “We have grown vertically ever since,” he says. “The company has doubled its revenues each year. By 2026, we will hit £39m in revenues and we are tracking that curve. We are at the start of the hockey stick.”

Currently, it has 36 employees but, says Masson, “we can’t grow the team fast enough. Recruitment is our biggest problem.”

The pool of experienced DPOs in the UK is not that large and the DPO Centre is seeking to recruit ready-made DPOs. “There are plenty of people with specialist knowledge of privacy and data protection but we need people who understand the commercial aspects, who can deliver on site as a part of each client’s team, providing advice according to each client’s risk appetite and profile.”

The majority of the DPO Centre’s customers are medium-sized businesses who are finding the regulatory complexities in this area increasingly problematic to manage in-house.

In addition, some corporates are also starting to look to outsource their data protection department – and landing such contracts will further accelerate growth. “We will start to nip at the heels of the large professional advisory firms,” says Masson. “We will be 300-strong in the next three years and our expertise will be focused on data protection.”

He emphasises that the value for companies of getting data protection right is not about mitigating reputational risk and avoiding fines arising from data breaches. “Do it well and you build trust and engagement and loyalty among your customers. It creates business value.”

If GDPR was a catalyst, regulatory divergence in data protection laws created by the UK’s exit from the EU is also proving to be a spur to growth. “Brexit has been a massive bonus,” says Masson. So too has been the burgeoning of such legislation in other nations. “It’s so important for us to keep scaling our team so we can keep creating an ever-deeper pool of global knowledge about data protection.”

The Covid pandemic has also been good for the DPO Centre as the transition to working from home threw up new data protection issues that privacy professionals had to deal with. 

“It reinforced how dynamic and adaptable data protection practices and frameworks need to be,” says Masson. In many cases, data processing is occurring at home, making it much harder to apply the appropriate ‘technical and organisational measures’ that the law demands and to respond fully to individuals’ rights requests.”

So when Covid first hit, Masson doubled down on marketing and branding, introduced new initiatives and switched from face-to-face event led marketing to a fully digital one. The company’s last full year results showed 91% growth in revenue, 102% growth in EBITDA and 106% growth in headcount.

Masson is on the Scaleup programme run by Scale Up New Anglia. “Every business has its glass ceilings and so the programme enables me to exchange ideas and experiences with other business leaders who are also looking to break through theirs,” he says. “I always want to engage with external partners – you never know everything. No matter how experienced you are, you have a limited view. ” In the same spirit, he has assembled an advisory board as “a resource that helps to expand our perspective.”

The DPO Centre has offices in Ipswich, London and Dublin along with a network of ‘establishments’ in all 27 EU member states (which provides a postal and visiting address – “more than a brass plaque but not a fully-manned office” is how Masson describes them). Looking further afield, Masson says that he is attracted by the potential in the Middle East, Latin America and Australasia but for now the UK will remain the prime market. “There are 60,000 businesses here employing more than 50 people who arguably need to have a DPO. We reckon our market share is 0.6 per cent at present. That’s a massive opportunity for us to go after. We have a defined business plan – we just need to scale it.”

"The company has doubled its revenues each year. By 2026, we will hit £39m in revenues and we are tracking that curve. We are at the start of the hockey stick."

Rob Masson, CEO, DPO Centre