In the media

What is a data protection officer (DPO) and what do they do?

By George Lawton


02 May 2024

Richard Watson-Bruhn, the US head of digital trust and cybersecurity at PA Consulting, is quoted in TechTarget discussing the data protection officer role.

The article notes that data protection officer responsibilities reach beyond traditional IT, legal and security roles to provide a holistic view of data privacy, security and education. DPOs also guide their organization through a process of continuous regulatory compliance by incorporating privacy safeguards and best practices into nearly every aspect of business operation.

DPOs facilitate collaboration among stakeholders, including customers, businesses and regulators, to gather, use and share information in a manner that’s appropriate, legal and beneficial to all parties. They’re also required to have access to an organization’s top executives to discuss and resolve all privacy concerns.

In the EU, the DPO position is mandated by articles 37, 38 and 39 of the GDPR regulations on data privacy and algorithmic transparency. Although protecting privacy is an essential responsibility, the DPO is also responsible for ensuring organizations don’t run afoul of other aspects of the GDPR relating to transparency, algorithmic accountability and accuracy.

All organizations doing business in the EU are now required to assign a DPO, which could be an employee or an external advisor such as a law firm or consultancy. This individual is not permitted to be responsible for monetizing the use of data, which is considered a conflict of interest. It’s also important that they’re not part of IT, HR or senior management, which could also create conflicts of interest. Similarly, DPOs can’t be a chief data officer even though they need to have intimate familiarity and visibility into data processes and data sharing agreements. Companies are also prohibited from firing DPOs in the event they raise concerns about data privacy procedures in their company.

Why are data protection officers important?

Richard said: DPOs or those in a similar role create clear ownership and direction for an organization’s privacy risk management. “We see a similar direction across risk domains where clear ownership and a nominated individual is a vital step to progress practical risk management action.” Data protection professionals at all levels must be international experts and technology experts. Just a few years ago, data privacy regulations were primarily concentrated in the EU, California or specific industry sectors in U.S. “Today, privacy must consider a patchwork of state laws, significant changes in data use from AI and the interaction with new AI regulations.” DPOs at companies using AI in processing personal data typically take on AI risk management, while others align privacy risk management with new AI risk roles and activities.

DPO titles by any other name

The data protection officer has a legal definition in the EU, and all companies doing business in the EU must assign a DPO. By defining the DPO’s role, the GDPR has encouraged businesses to appoint a clear owner of privacy risk management. Also, by requiring DPOs to report to the European Data Protection Board, the GDPR has sent a clear message that data privacy is considered a senior-level responsibility.

Richard continues: The DPO role requirement in the EU encourages companies of all sizes anywhere to appoint an accountable data protection and privacy person even if a DPO is not required. “The biggest learning from the GDPR and DPO role as we approach new privacy and AI requirements in the U.S. and globally,” he said, “is that clear ownership [by a data protection professional] is vital to successfully progress privacy risk management.”

In regions outside the EU, including the U.S., DPOs could wear the following titles: chief privacy officer, head of privacy and director of privacy. Richard said: “Larger firms covering multiple countries often have these roles, in addition to an EU DPO to create clear separation of responsibilities. Smaller firms not required to register a DPO shouldn't use the term to avoid confusing a regulator.”

He adds that the chief information security officer (CISO) can assume a DPO-like responsibility in some enterprises outside of the jurisdiction of the GDPR. However, the EU “has given clear guidance that a DPO cannot both control and oversee data progress.” In the EU, for example, CISOs processing data for security monitoring can't also be the DPO since, he said, this would be construed as “marking their own homework.”

Explore more

Contact the team

We look forward to hearing from you.

Get actionable insight straight to your inbox via our monthly newsletter.