While compliance and data protection have been around for some time, especially in fields such as finance and health, they have always been bundled together into legal and information security roles. The rise of increasingly complex data protection regulations that have made companies liable for the security of the data they collect in the eyes of the law has led to the appearance of new specialized compliance roles such as Data Protection Officer (DPO) and Chief Privacy Officer (CPO). Although they operate within the same area, just how similar are these roles, and do companies need both? Let’s take a closer look!
DPOs: the guardians of compliance
According to the United Nations Conference on Trade and Development, 132 countries now have legislation in place to ensure data privacy and data protection. Under several of them, most notably the European Union’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Singapore’s Personal Data Protection Act (PDPA), the appointment of a DPO is mandatory under certain circumstances. While requirements may differ from law to law depending on the size of an organization or the amount of data it collects or processes on a daily basis, many companies running on a modern digitized infrastructure are now required to have a DPO.
DPOs are, therefore, a legally required role. They also have a special status within the company: they report directly to the highest management level, cooperate with supervisory authorities, and need to be fully independent. Their duty is primarily towards the law and data subjects, and managers cannot give them orders that contravene with it. DPOs can also not be penalized or dismissed for carrying out their responsibilities as dictated by the law. Companies are obligated to provide DPOs with the resources, information, and support they need to perform their duties effectively. They must also ensure that the DPO is involved properly and in a timely manner on issues related to the protection of personal data and has access to the company’s data processing activities. DPOs should be hired on the basis of their professional qualities, particularly the experience and expert knowledge of data protection law.
If a company does not require the services of a DPO full-time, they can be assigned other responsibilities as long as there is no conflict of interest with DPO duties. Organizations can also hire an external DPO that serves multiple companies or as a third-party service contract.
While the DPO role and the assigned duties may differ slightly depending on the privacy law that makes their appointment mandatory, they generally act as a liaison between a company and local data protection authorities and the point of contact for data subjects that want to exercise their rights under data protection regulations. Their core activities include monitoring compliance with data protection regulations and conducting internal audits to ensure regulatory compliance. They are also responsible for raising awareness within the company about compliance requirements, training staff involved in data processing operations, and advising on data protection impact assessments (DPIA).
CPOs: when privacy reaches the C-level
CPO is a C-level position that emerged as compliance with data protection regulations became an increasingly complex and time-consuming issue for Chief Information Security Officers (CISOs) or Chief Information Officers (CIOs). CPOs were tasked with ensuring an organization’s data protection practices are in line with the latest international standards and compliance needs. They oversee how data is collected, shared, stored, and transmitted and raise awareness about compliance requirements within the company. They are also responsible for the development and testing of data breach response plans and data protection impact assessments.
Most importantly, a CPO’s priority is the welfare of the company. Their duty is to build trust with customers and enhance an organization’s reputation as privacy-conscious and compliant with data protection rules. They act as the point of communication with the media and, in case of a security incident, must have a communication strategy in place to mitigate any public fallout.
DPO vs. CPO
While both DPOs and CPOs address a company’s privacy responsibilities, the drivers behind the two roles are very different. While DPOs act as independent compliance-safeguards, CPOs have a broader, more strategic role, aligned to organizational privacy objectives. CPOs also have an active role in managing privacy policies, governance, and compliance. DPOs, on the other hand, have a more advisory function and police these activities.
Although they both answer directly to senior management, DPOs do not have the decision-making power of C-level executives like CPOs. DPOs inform managers about compliance requirements, the results of audits, and areas that need improvement, but they cannot implement any policies directly. That power rests within the hands of the CPOs who are expected to drive data protection strategies and come up with concrete policies to address compliance and data protection needs.
In terms of skills, while both roles benefit from a technology background, DPOs are expected to have the legal expertise to efficiently deal with their responsibilities. Experience in IT auditing and performing risk assessments is also desirable. CPO roles are more flexible and can be chosen from a variety of backgrounds but require highly adaptable individuals who are able communicators.
The inclusion of terms such as privacy and data protection into their titles creates the illusion that CPOs and DPOs are both privacy professionals and share similar duties, but while they function within the same area of expertise, the level at which they act as well as their priorities differ greatly. The position of the DPO remains a legal requirement that companies must comply with, while CPOs are a mark of an organization that takes privacy seriously at the highest level.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.