The data protection officer is a relatively new role that received prominence in the wake of the European Union's GDPR regulations on data privacy. Data protection officer responsibilities go beyond traditional IT, legal and security roles to provide a holistic view on data privacy, security, education and even opportunity across the organization.
"Now more than ever before, organizations are being forced to look at privacy as a strategic operating practice and even a competitive differentiator given the challenging data security environment," said Pravin Kothari, founder and CEO of CipherCloud, a cloud security service. He sees this trend mirroring the rise of the CISO 10 years ago as enterprises grapple with changing privacy regimes in Europe, California and even Brazil.
Data protection officer responsibilities include a strategic aspect in helping to guide the organization through a process of continuous compliance by incorporating privacy safeguards and best practices into nearly every operation. This is becoming a strategic enabler as companies grapple with safely supporting increased remote work.
"Having a strategic view into privacy implications is not merely a necessity in maintaining compliance but something that can help you beat the competition to market," Kothari said.
This article is part of
What is a data protection officer?
Although there are numerous privacy laws and regulations that a data protection officer (DPO) can help organizations maneuver, the DPO role is most often associated with the formal requirements of articles 37 to 39 of the European Union's GDPR, explained Sal Aurigemma, associate professor of computer information systems at the University of Tulsa. The GDPR requires all companies that collect or process the personal data of EU residents to develop policies and procedures covering the collection, processing and management of personal data.
It's also important for companies to consider the DPO's role in facilitating collaboration across various stakeholders, including customers, businesses and regulators to gather, use and share information in a manner that is appropriate, legal and beneficial to all sides. Since the EU's adoption of GDPR, demand for DPOs has been steadily increasing across enterprises.
"Like the ombudsman, the DPO is the customer's advocate at a business to make the tradeoff between the utility of the data to the business and the trust contract with the customer to ensure that the data is utilized appropriately," said Ameesh Divatia, co-founder and CEO of Baffle, a cloud data protection company.
This will require astute diplomacy tactics to determine the correct tradeoffs. The risks of doing this poorly can include fines, loss of customer support or even erosion of the business.
Whether your organization is holding data that falls under the GDPR or one of the other growing number of data privacy-related regulations, data protection officer responsibilities are focused on overseeing an organization's data protection strategy and implementation.
Pravin KothariFounder and CEO, CipherCloud
The DPO ensures that an organization fulfills its responsibilities identified in the relevant regulations and laws protecting personal data and serves as the point of contact between a company and any supervisory authorities that oversee data privacy-related activities, Aurigemma said.
DPOs have numerous organizational responsibilities, which include educating company leadership and employees about data privacy compliance rules and regulations, training staff involved in data processing to ensure they follow applicable rules and conducting periodic audits to ensure data privacy processes are being followed.
"In essence, the DPO is an organization's 'honest broker' for data protection and privacy," Aurigemma said. This means that the DPO potentially could be placed in a position that is at odds with other company departments and leaders that seek to retain and/or use customer data for business needs that may violate data protection requirements.
Data protection officer responsibilities also include some level of independence in decision-making and resources.
"Because of the 'independence' requirement, organizations are differentiating the DPO role from that of the traditional chief privacy officer role," said Heather Federman, vice president of privacy and policy at BigID, a data privacy and protection vendor.
While some appropriate level of legal knowledge is needed, the DPO is supposed to have minimal conflict of interest so they can police data processing activities. Belgium authorities went so far as to impose a €50,000 fine on a telecom operator for what they argued was a conflict of interest with the listed DPO, who was also the internal head of compliance, risk management and audit.
Another data protection officer responsibility lies in defining what represents personally identifiable information for the company, said Sam Roguine, director at Arcserve, an enterprise data protection service. There are obvious pieces of personal information like email addresses, names, telephone numbers and location information.
"But it's important to not overlook other forms of personal data like IP addresses," Roguine said.
DPOs should also ensure that data managers keep tabs on where data is being stored as backups and copies must reside in the EU to be in compliance with GDPR.
Why the role is important
The role of a DPO is explicitly important because it helps ensure an organization meets its regulatory data privacy requirements, Aurigemma said. If an organization were found negligent of a data privacy violation and a proper DPO was not in place, an organization could be fined heavily.
The DPO needs to understand and address the concerns of both legal and technical stakeholders. The EU regulations stipulate the DPO requires "expert knowledge of data protection law and practices." This would make it appear that someone in an organization's legal department would be a good fit to fill the DPO role.
But the GDPR also specifies that the data protection officer should have expert knowledge of its organization's data processing operations, which requires an intimate understanding of the company's technologies and business uses of personal data.
"Therefore, the DPO really does fill a unique role that falls outside of traditional pre-GDPR corporate IT, business and legal positions," Aurigemma said.
Why organizations need a data protection officer
Privacy has existed for many years in other areas, typically split among different business, technology and security leaders. It has simply become such a major set of requirements that there needs to be centralized leadership that weaves all those previously distributed considerations together, Kothari said.
A DPO can complement a CISO's work in protecting data with a holistic perspective on how privacy is impacted not only by the cloud but the underlying business processes, as well and how these issues need to be managed in harmony.
Perhaps the most significant data protection officer responsibility in the current environment is ensuring that their organization is continuously improving data protection. That can encompass anything from internal HR data to sensitive customer information, among many other requirements, Kothari said.
This is growing in importance as more workers move to the cloud, often using unmanaged personal devices. The DPO needs to partner with the CISO and other management offices to focus on improving information protection to advance both privacy and compliance.