25/08/2023 - In the build-up to the GDPR , European companies scrambled to appoint Data Protection Officers to escape penalties for noncompliance with the coming regulation. Since then, privacy and data protection topics have garnered more attention across businesses of all shapes and sizes. Additionally, new sets of privacy laws have emerged globally, necessitating the need for privacy professionals.
As a result, many organisations have subsequently developed more comprehensive privacy compliance programmes, and we have witnessed multiple new privacy-focused functions emerge. The distinction between these different privacy roles is not always clear for many organisations. Does your organisation need to hire a DPO, Privacy Officer, or both? In this post, we will explain the difference between the three most common categories of privacy functions so that you can make a more informed decision when establishing your own privacy and data protection teams.
We will discuss the roles:
- Data Protection Officer (‘DPO’)
- Privacy Officer (‘PO’)
- Privacy Steward
1. Data Protection Officer (‘DPO’)
The role of DPO is the only function explicitly mentioned in the GDPR. Only public organisations, organisations processing large amounts of sensitive data, and organisations that engage in largescale monitoring of data subjects, are legally required to appoint a DPO. Regardless, most organisations appoint a primary privacy point of contact, and many elect to appoint a DPO for this purpose.
The primary responsibilities of a DPO include:
- Advising organisations , as well as their employees, of their obligations under data protection law
- Monitoring compliance with privacy/data protection legislation, including audits, raising privacy-awareness, and training staff on their privacy obligations
- Providing advice to the business and carrying out/or reviewing Data Protection Impact Assessments (DPIAs)
- Acting as a point of contact for data subjects making requests regarding the processing of their personal data, or when exercising their privacy rights
- Acting as the businesses main point of contact with Data Protection Authorities.
DPOs work independently. Their independence is legally guaranteed in terms of the GDPR. Additionally, they are legally protected from dismissal.
For more information on the independence of DPOs and their dismissal protection, please refer to our blog on DPOs vs. POs. In reality, the DPO is not ultimately responsible for compliance with privacy and data protection rules. Depending on the organization, that responsibility lies with the board or the relevant management team. The DPO's role is to advise management in this regard. DPOs cannot be directly involved in decision-making regarding an organisations data processing activities. Their independence allows them to provide objective advice to the business without engaging in the day-to-day privacy related operations. Individuals who fill the role of DPO often have a legal background and must be experts in the field of privacy and data protection law.
2. Privacy Officer (‘PO’)
Unlike the DPO, the role of PO is not legally mandated or defined in the GDPR. Consequently, organisations have more freedom to tailor requirements of this function according to the specific needs of their organisation. Organisations may also use different titles when referring to this role. Alternative titles include: Chief Privacy Officer, Corporate Privacy Officer, Privacy Counsel, Data Protection Manager, and Data Protection Lead, this is completely at the discretion of the organisation. Larger organisations will often appoint a Chief Privacy Officer, or Corporate Privacy Officer, who is supported by other Privacy Officers that collectively make up the organisations Privacy Team. Regardless of the designation an organisation elects to use, the PO will usually be the primary driver of day-to-day privacy operations.
POs work intimately with the business and are directly involved in implementing privacy solutions and handling data protection matters within the business. POs can be directly involved in an organisation's decision-making regarding data processing activities, and they can represent an organisation's data processing interests and work actively in developing organisational solutions to data protection problems. Typical tasks undertaken by a PO may include:
- Drafting relevant privacy policies for the business
- Processing data subject requests
- Maintaining, or establishing an organisations record of processing activities
- Responding to security incidents and personal data breaches
- Performing privacy assessments within the business
The tasks of a PO will differ between organisations, but in general, they are an organisations first line of defence when it comes to privacy and data protection matters. POs play the more active operational role in comparison to the advisory role of a DPO.
3. Privacy Stewards
This is the least defined role. Consequently, the exact function and responsibility of a Privacy Steward can differ significantly across different organisations. Like with POs, organisations may also use a variety of names when referring to Privacy Stewards such as: Privacy Champions or Privacy Ambassadors.
Privacy Stewards can be described as an organisations “boots on the ground” when it comes to privacy matters. They act as an important link between the business, and the other privacy functions listed above. They play an important role in alerting either the DPO or PO to any privacy related needs or issues that exist within the organisation.
Typically, the role of privacy steward is designated to an existing employee within that organisation. Unlike a PO, their primary job function may not be privacy related, however, in their role as privacy steward, they connect the PO or DPO with that area of the business. For example, it’s become common for larger organisations to appoint a Privacy Steward per department or function of the business. That Privacy Steward can then act as the first point of contact for the DPO or PO when communicating with the business, and can assist in alerting them to any potential issues. Privacy Stewards often also play a role in increasing privacy-awareness within an organisation and keeping the ROPA up-to-date.
Unlike a DPO or PO, a Privacy Steward is not necessarily someone with a legal or security background. They will be trained in the relevant privacy and data protection standards relevant to their business and will work in close connection with the DPO and/or PO.