What is a data protection officer (DPO) and what do they do?
Today's DPO must juggle technical, legal and collaborative skills in the shadow of more sophisticated data breaches, tougher data privacy laws and generative AI deployments.
Data protection officer responsibilities reach beyond traditional IT, legal and security roles to provide a holistic view of data privacy, security and education. DPOs also guide their organization through a process of continuous regulatory compliance by incorporating privacy safeguards and best practices into nearly every aspect of business operation.
DPOs facilitate collaboration among stakeholders, including customers, businesses and regulators, to gather, use and share information in a manner that's appropriate, legal and beneficial to all parties. They're also required to have access to an organization's top executives to discuss and resolve all privacy concerns.
In the EU, the DPO position is mandated by articles 37, 38 and 39 of the GDPR regulations on data privacy and algorithmic transparency. Although protecting privacy is an essential responsibility, the DPO is also responsible for ensuring organizations don't run afoul of other aspects of the GDPR relating to transparency, algorithmic accountability and accuracy.
All organizations doing business in the EU are now required to assign a DPO, which could be an employee or an external advisor such as a law firm or consultancy. This individual is not permitted to be responsible for monetizing the use of data, which is considered a conflict of interest. It's also important that they're not part of IT, HR or senior management, which could also create conflicts of interest. Similarly, DPOs can't be a chief data officer even though they need to have intimate familiarity and visibility into data processes and data sharing agreements. Companies are also prohibited from firing DPOs in the event they raise concerns about data privacy procedures in their company.
"DPOs are important to organizations as they offer an independent voice to the company [about] how well they are complying with the obligations of the GDPR as well as providing training and advice when it's required," said Martin McElroy, senior data protection adviser at law firm Fieldfisher. More importantly, DPOs often act as a conduit for the company, the data protection regulator such as the Information Commissioner's Office (ICO) in the U.K., and individuals, or "data subjects," in the event of serious incidents, data breaches or complaints. They're often the go-to person when problems relating to data privacy occur within the organization.
Why are data protection officers important?
DPOs or those in a similar role create clear ownership and direction for an organization's privacy risk management. "We see a similar direction across risk domains where clear ownership and a nominated individual is a vital step to progress practical risk management action," said Richard Watson-Bruhn, U.S. head of digital trust and cybersecurity at PA Consulting.
Data protection professionals at all levels must be international experts and technology experts. Just a few years ago, data privacy regulations were primarily concentrated in the EU, California or specific industry sectors in U.S. "Today," Watson-Bruhn explained, "privacy must consider a patchwork of state laws, significant changes in data use from AI and the interaction with new AI regulations." DPOs at companies using AI in processing personal data typically take on AI risk management, while others align privacy risk management with new AI risk roles and activities.
Evolution of the data protection officer
The role of the DPO has evolved since GDPR first went into effect in 2018, influenced by technologies and events such as AI, particularly generative AI, new and more sophisticated security threats, recent data breaches and the proliferation of new and updated international, national and state laws.
The GDPR, McElroy said, has shed a spotlight on data protection rights. Increased awareness has led to a greater number of personal rights requests by data subjects, data breaches being reported, data retention programs and data protection impact assessments (DPIAs), all of which require DPO involvement. DPOs also must contend with the Schrems II judgment in the EU and resulting Standard Contractual Clauses and Data Transfer Impact Assessments, plus a host of EU regulatory enforcement actions, including the Digital Services Act, Network and Information Systems Directive 2022 (NIS2), Digital Operational Resilience Act, and Artificial Intelligence Act.
"While not always linked to personal data, these changes to how data is regulated mean that organizations often turn to the DPO for advice and guidance," McElroy said. In the process, DPOs are becoming data subject matter experts within organizations.
In addition, companies in highly regulated industries are moving more of their data operations to the cloud and their processes are becoming more distributed. "The role of DPO now requires not only business and legal knowledge, but also a deeper understanding of intricate data infrastructure and cloud operations," reasoned Marek Ovcacek, field CTO at data management platform provider Ataccama.
DPOs must also address new AI-specific security threats, such as data poisoning, AI hallucinations and unmanaged AI in the enterprise, said Arti Raman, founder and CEO at generative AI visibility platform provider Portal26. "Intentional and unintentional inaccuracies injected during AI training and the rise of unmanaged AI, including shadow AI and BYOAI [bring your own AI]," she explained, "pose unprecedented risks, making it imperative that the role of the DPO adapts to the changing landscape."
Generative AI, machine learning and the introduction of other complex data privacy challenges, including bias and the lack of transparency in automated decision-making, have placed added burdens on DPOs. They now have a critical role in ensuring AI deployments comply with data protection laws and uphold ethical standards. "This shift demands that DPOs stay abreast of technological advancements and actively shape AI practices to safeguard privacy, making their role more strategic and integral to organizational success," said Ryan Miles, data and analytics executive at engineering services firm Nightwing.
What do data protection officers do?
The expanding role of DPOs includes the following essential tasks.
Assessing impact
Organizations must conduct a DPIA when the processing of data could place the privacy rights of individuals at risk. The DPO advises relevant stakeholders and monitors operations to ensure the company minimizes risks. If a data breach occurs, the DPO must know what data has been compromised and make applicable notifications, so the breach becomes a public matter, said Brian Neuhaus, CEO of IT consultancy Neuhaus Ventures.
Education and training
The DPO informs and educates management and employees about their responsibilities relevant to privacy and security regulations. "An organization that adequately complies with the GDPR or a similar law in another jurisdiction will require its staff to conscientiously think about their data processing activities and to implement them in a 'data protection by design and by default' manner," explained Puneet Gogia, founder of Excel training program Excel Champs.
Monitoring processes
The DPO oversees and audits how an organization processes and shares information to ensure compliance obligations are met. Partnerships within lines of business, IT and cybersecurity are paramount, Neuhaus stressed.
Connecting with regulators
The DPO works as a liaison with regulators who raise concerns about issues related to the organization's processing of data.
Addressing privacy questions
The DPO is the first point of contact when data subjects request how their data is being processed and handled.
Understanding technology and the law
The DPO must fundamentally understand the company's technical, security and data operations and have an in-depth knowledge of legal compliance statutes across regions and countries. "DPOs are not dependent on technology, but rather on organizational policies and processes," said Curtis Blount, co-founder and chief security officer at threat management platform provider InsightCyber.
Why do organizations need a DPO?
The DPO is integral to the company's business goals, especially as enterprises navigate newly introduced data protection complexities spawned by generative AI, Miles explained. "DPO duties are not just about compliance," he noted, "but are central to our commitment to trust and transparency."
Generative AI comes with its share of ethical and privacy implications. DPOs are pivotal in ensuring an organization's AI advancements are not only innovative, but also responsible and respectful of individual privacy. "This balance is crucial for maintaining the trust of employees, customers and the public and making the DPO an essential figure in strategic vision," Miles noted. Generative AI, large language models and ChatGPT have further democratized data and its sources across enterprises, adding to DPO responsibilities as data protection overseers. "In some sense, DPOs are digital traffic cops managing data collection, organization and activation," said Jason Downie, U.S. CEO at consultancy Making Science.
DPOs can also help bridge the gap between IT and marketing, Downie said, and play an integral role in supporting an organization's digital transformation. As breaches proliferate, DPOs must ensure data is protected throughout the entire data lifecycle.
Marketing, sales and customer service functions can be a high priority for DPOs due to the large volume of customer interactions and the personal data collected by companies engaging with consumers on multiple channels. "Data breaches and leakage," Downie said, "can happen at scaled digital interaction points with consumers through online properties such as websites and advertising campaigns."
Due to a combination of stricter data protection and privacy laws and the deprecation of third-party cookies, marketing and data teams are expected to do more with less data, according to Downie. "Between the U.S. and U.K. spearheading and reviewing various consumer protection regulations," he surmised, "data remains at the center and DPOs must stay aware of changing legislation to remain compliant."
Data protection officer qualifications
The DPO's qualifications must be as multifaceted as the tasks they're expected to perform. It's about technical, security, legal, regulatory, customer and data processing knowledge plus the intangibles.
- Ongoing experience drafting privacy and risk management policies, overseeing compliance programs and responding to regulatory requests.
- Familiarity with and certifications in IT, particularly data infrastructure.
- Experience conducting IT systems audits and facilitating risk assessments.
- Good communication and networking skills working with a diverse group of stakeholders.
- Persistence in overcoming cultural and political resistance from stakeholders.
- A track record in learning new systems, processes and laws.
How to become a data protection officer
To build a solid data protection foundation, DPOs must take a multipronged approach to data protection. That begins with a strong understanding of data protection laws and regulations as well as IT and cybersecurity principles, Miles said. It's also essential to have a good understanding of customers and their environments to ensure data protection strategies are compliant and fully aligned with customer expectations and values.
Education and practical experience in data protection, privacy law and IT security with an eye toward bridging the gap between technology and ethics are valuable credentials in building a career as a DPO. "Continuous education and staying abreast of the latest developments in technology, law and ethics are nonnegotiable," Miles stressed. Proficiency in communication and compliance management are also essential, Gogia added.
Data protection and privacy certifications add to the credentials of DPOs. The International Association of Privacy Professionals offers several data protection related certifications, including the Certified Information Privacy Professional, AI Governance Professional, Certified Information Privacy Manager and Certified Information Privacy Technologist.
Unlike many other professions, there's no set pathway to becoming a DPO, Fieldfisher's McElroy said, but it's important to develop expertise in GDPR and other data protection regulations. A law degree is not a specific DPO requirement. McElroy said he's not a lawyer but he evolved into the DPO role after starting his professional life in legal information management, followed by a mix of cross IT and legal compliance roles covering litigation support, data management and operating with the COBIT IT governance framework and ISO27001 information security standard. "I am convinced my years of working between legal and IT teams gave me the necessary experience to become a DPO," he said.
How to hire a DPO
There are several ways to search, locate, interview and hire a qualified DPO that meets the organization's specific needs.
Write a job specification
Combine the organization's needs with the required DPO skills to meet those needs. A good job specification, Gogia said, should emphasize a DPO's expertise in data protection laws and experience with the data process and its security.
Map organizational needs to skills
If the organization's unique requirements dictate complex or innovative processing of personal data, McElroy suggested, then it's important to find a DPO with a good grasp of related technologies. The candidate should have strong collaborative skills, but don't settle for a "yes person," he warned.
Research expert resources
Networking with professional bodies, specialist recruitment agencies and academic institutions can help locate suitable DPO candidates, especially in the areas of data protection, cybersecurity and IT law academics. A good place to personally meet potential candidates are conferences that focus on data protection, privacy and cybersecurity. Legal and IT security firms often employ specialized data protection and privacy practitioners that provide outside support.
Evaluate the candidates
Grade candidates on their understanding of technology, especially AI, how these technologies impact data protection and privacy, and the candidates' ability to navigate through ethical complexities. It's also important to assess a candidate's ability to communicate effectively across departments and lead initiatives that embed privacy and ethics into company culture. "Given the dynamic nature of the cybersecurity field specifically," Miles advised, "flexibility and a proactive approach to learning and adaptation are key traits we seek in a DPO."
DPO titles by any other name
The data protection officer has a legal definition in the EU, and all companies doing business in the EU must assign a DPO. By defining the DPO's role, the GDPR has encouraged businesses to appoint a clear owner of privacy risk management. Also, by requiring DPOs to report to the European Data Protection Board, the GDPR has sent a clear message that data privacy is considered a senior-level responsibility.
The DPO role requirement in the EU encourages companies of all sizes anywhere to appoint an accountable data protection and privacy person even if a DPO is not required, Watson-Bruhn of PA Consulting reasoned. "The biggest learning from the GDPR and DPO role as we approach new privacy and AI requirements in the U.S. and globally," he said," is that clear ownership [by a data protection professional] is vital to successfully progress privacy risk management."
In regions outside the EU, including the U.S., DPOs could wear the following titles: chief privacy officer, head of privacy and director of privacy. "Larger firms covering multiple countries often have these roles, in addition to an EU DPO to create clear separation of responsibilities," Watson-Bruhn explained. "Smaller firms not required to register a DPO shouldn't use the term to avoid confusing a regulator."
The chief information security officer (CISO) can assume a DPO-like responsibility in some enterprises outside of the jurisdiction of the GDPR. However, the EU "has given clear guidance that a DPO cannot both control and oversee data progress," Watson-Bruhn said. In the EU, for example, CISOs processing data for security monitoring can't also be the DPO since, he said, this would be construed as "marking their own homework."
George Lawton is a journalist based in London. Over the last 30 years, he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.