Data Protection Officer (DPO): A Critical Role for User Privacy

On this page

The landscape surrounding data privacy is changing quickly. What was a best practice yesterday might not be today. New laws, and amendments to those laws, are popping up with such regularity that keeping track of them could be a full-time job.

Take the California Consumer Privacy Act (CCPA) as just one example. You may have heard of it, but are you familiar with its nuances? Are you aware of the recent amendments to it? Is anyone else in your company keeping tabs on these changes?

If not, you could be leaving your company open to penalties under the new California law. Ignorance of the CCPA won’t prevent your company from being fined. You have to know what’s in these laws and regulations to be able to ensure compliance. That will help your company avoid fines.

To help your company maintain compliance with data privacy laws, you need to assign someone to oversee data privacy. That person should be a data protection officer (DPO).

Some companies are required to have a designated DPO under the General Data Protection Regulation (GDPR). Even if your company doesn’t need to comply with the GDPR, having a data protection officer is still a best practice for data privacy.

What is a data protection officer (DPO)?

A data protection officer is an independent company official tasked with understanding data privacy legislation, ensuring that your company is complying with the regulations, and acting as a point of contact for data subjects.

The key word in that definition is “independent.” Data protection officers must be able to do their work without being pressured by other people within the company to do things a certain way. When it comes to data privacy and protection, DPOs need to have the final say in company practices.

It’s vital your DPO has no conflicts of interest with regard to data privacy. There’s a chance your DPO will have other job functions, too, so there is the potential for conflicts of interest to arise. For example, if someone on your legal team is serving as your DPO, they should not be involved in handling any lawsuits related to data.

4 primary responsibilities of a data protection officer (DPO)

The GDPR has an entire article — Article 39 — dedicated to the tasks of a data protection officer. That article is a good starting point, even if your company doesn’t need to comply with the GDPR.

The tasks that a DPO should handle can vary based on the company and their specific needs for privacy law compliance. Generally, DPOs have four core activities:

1. Compliance

DPO's monitor compliance with data privacy laws. DPOs need to stay up to date on the latest data privacy laws and make sure their companies are complying.

2. Company awareness

The DPO is tasked with raising awareness among employees and run training programs about data privacy. Company-wide data privacy might be governed by a DPO, but best practices have to be followed by all company employees.

3. Risk assessment

Another critical task that DPOs perform is data protection impact assessments. These assessments help your company identify risks from data collection and take steps to mitigate these potential risks.

4. Overall data strategy

Lastly, it’s a DPO’s duty to maintain and review the data strategy, data governance, and data collection practices for the company.

Using these tasks as a baseline for your DPO will ensure that you’re prepared for any data privacy changes.

Who is best suited to be a DPO?

Finding someone qualified to carry out all of the responsibilities of a DPO can be difficult. It requires a lot — from knowing the laws and regulations to understanding the company’s internal technology.

It gets more difficult when you remember that a DPO must not have any conflicts of interest. That removes any IT and security personnel from consideration.

If you have a compliance or legal department, someone in one of those departments is probably best suited for the DPO role. If your company is small, and you don’t have either of those departments, Article 37 of the GDPR says that a DPO can be shared between multiple companies.

Should your company have a DPO?

DPOs are required by the GDPR in some, but not all, circumstances. Those circumstances are outlined in Article 37 of the GDPR:

  • If your company processes data and is “a public authority or body,” you need to comply.

  • A DPO is required if the data you’re collecting requires regular and systematic monitoring of data subjects on a large scale.

  • You’ll need a DPO if your company is processing data on a large scale.

To sum that up, if your company collects a large amount of public and personal data, regularly monitors the data subject, or is simply a public authority, you’re required to have a data protection officer under the GDPR of the European Union.

Even if you don’t need to comply with the GDPR, it might be a good idea for you to appoint a DPO. Having one person with supervisory authority dedicated to understanding the various state-specific privacy laws will go a long way to keeping your company compliant.

Also, a federal data privacy law may be coming to the U.S. in the near future. 51 tech CEOs recently sent a letter to Congress asking for the federal government to consider data privacy and data processing activities. A law similar to the European Union's GDPR may not be too far off for the United States. If your company has a DPO, there’s a chance you’ll be better prepared for any future legislation.

Having a DPO can also show consumers that you’re committed to the privacy of their data. Consumer trust is a big part of data privacy. If your customers feel like they can’t trust you with their data, it could have a serious negative impact on your company.

How does a DPO improve data privacy?

In another article, we mentioned that data privacy is all about transparency. Data privacy helps consumers understand what you’re doing with their data. There’s one more piece to that, though. Data privacy is also about compliance with laws and regulations.

Those laws are created to make sure that your company is respecting the privacy of your consumers. A data protection officer will help with that. DPOs are the employees who ensure that a company is complying with laws. Without that point person, it’s easy to miss something in these laws.

Let’s go back to the transparency piece of data privacy. If your goal is to help consumers understand what you’re doing with their data, you need to have one person who oversees what you’re doing with consumer data. If you don’t have that, it can be very easy to lose track of what data you’re collecting, and why.

For example, do you know all the data points your mobile app is collecting? What about all the data that’s being collected on your website? There might be a few employees who know all of those answers, but having one person who oversees it all can improve transparency and compliance. That one person should be a DPO.

Think of the DPO as an air traffic controller. An air traffic controller monitors all airplanes in their airspace and helps ensure that every plane safely gets to where it needs to get. If airports didn’t have an air traffic controller, there would be chaos.

If your organization is committed to data privacy, a DPO can help direct your data privacy practices to reduce chaos.

Data privacy needs a proactive approach

Respecting data privacy requires a proactive approach. It doesn’t matter if your company is currently subject to existing laws or if future laws are going to affect your data privacy practices. If you’re proactive in dealing with those laws, you’ll be positioned to better serve your customers. Remember, customers want companies to have strong data privacy and data security, too.

That’s the goal of a data protection officer. They’re a proactive authority. Without the DPO, your company might be taking a reactive approach (and may be in breach of GDPR and subject to audits and investigations), which is not a good way to handle customer data.

Frequently asked questions

A DPO is an independent employee who ensures gdpr compliance within a company. They essentially monitor company activity and data privacy legislation.

Work experience is always helpful but at the very least a bachelor's degree in computer science or information security.


Segment's Privacy Portal

With the Segment Privacy Portal, you can automate your approach to keeping your customers' data private.

Getting started is easy

Getting started is easy

Start connecting your data with Segment.