When GDPR came into force in May 2018, enterprises were forced to respond by implementing not only new technical and operational measures but also structural changes that had an impact right up to the highest management level.
Public bodies and most large-scale companies were required to appoint a new role of data protection officer (DPO). But many have bolstered their data privacy efforts further by establishing a new additional position of chief privacy officer (CPO).
The two roles share many similarities. However, this can potentially lead to confusion, as the underlying aims and objectives of their duties are very different.
In this post, we’ll clear up the common misunderstandings about these two distinct roles, taking an in-depth look at the core responsibilities of each job function and the part they play within your organization.
A DPO is a security leadership position that's a legal requirement under Article 37 of the GDPR for public sector organizations and any private company that stores and processes personal data at scale.
Similar roles are also required by Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and South Africa's Protection of Personal Information Act (POPI) but with different job titles.
Fundamentally, a DPO helps your organization meet these GDPR requirements. Data Protection Officer roles and responsibilities include:
A DPO reports directly to senior management. However, they are fully independent, acting impartially and within the law. As their employer, you have a legal obligation to provide them with the appropriate resources, knowledge, information and support to carry out their duties effectively.
They may be a member of staff dedicated to a single organization. But where you cannot justify the cost of maintaining a full-time position, within reason, they can act on behalf of other organizations at the same time.
They can also undertake other responsibilities—provided these don't conflict with their DPO duties. And it is also possible to appoint a third-party DPO on a service contract.
Under the requirements of the GDPR, a DPO must be suitably qualified to perform the role. As a result, they would be expected to have expertise in data protection law and practices, along with experience in auditing IT systems and performing risk assessments.
They should also have a strong understanding of technology and preferably have a background in IT. Embracing the job role may require frequent use of compliance technology, such as NetApp Cloud Compliance for Azure NetApp Files, Cloud Volumes ONTAP, and Amazon S3 buckets.
The abilities of your DPO should be commensurate with the level of risk and complexity involved in the data processing activity of your organization. In addition, they should ideally have good knowledge of your industry sector.
A CPO is a senior executive position that is rapidly emerging in large-scale enterprises and public sector bodies across the world. The role has grown in prominence in response to the increasing demand for a privacy professional at the highest management level.
Unlike the job title of DPO, which is very clearly defined by the GDPR, a CPO can go by other names, such as privacy officer or privacy leader.
In essence, a CPO directs your company's privacy strategy, steering your business through the complex array of different data protection regulations that affect your organization.
They also look for ways in which privacy can add value to your business, using it in a positive way to gain a competitive advantage. Their duties include:
A DPO and CPO have many overlapping privacy management responsibilities. However, the scope of the CPO's work is broader, more strategic and more aligned to organizational objectives as a whole.
First and foremost, a CPO should be highly articulate, as they'll be heavily engaged in communicating the company's privacy values and goals both internally and externally. In addition, they'll need to deal with the PR fallout in the event of a privacy incident. They'll also likely be involved in publicity campaigns to support the wider privacy agenda.
As well as possessing exemplary communication skills, a CPO will be expected to be tech savvy, developing a deep understanding of data-related operational practices and technologies across the organization. This is an area where the easy, one-click functionality and full visibility provided by NetApp Cloud Compliance will come in handy.
They will also need to be highly adaptable, owing to the multi-disciplinary nature of the role. As a result, CPOs come from a wide variety of previous occupations, but often have a legal or IT background.
What’s the difference between the two roles? Quite a lot actually.
First, a DPO is basically an advocate for data subjects, acting as an independent and impartial advisor on GDPR compliance. By law, you cannot give them orders or fire them just for meeting their responsibilities. A CPO position, on the other hand, is more that of a traditional company or public sector employee, acting in the interests of your organization.
What's more, the work of a DPO focuses specifically on GDPR, whereas the duties of a CPO are more aligned to the company's broader privacy objectives. The CPO will likely be involved in the choices of data processing activities your company makes. By contrast, a DPO serves more in the capacity of policing those activities.
Finally, a DPO serves as a point of contact for regulatory authorities and also members of the public in relation to their rights under the GDPR. By contrast, a CPO communicates mainly with the media concerning general privacy matters.
In some cases, the differences between these roles highlights the conflict of interest that could potentially arise as a result of appointing a dual position of CPO and DPO at the same time.
Data Protection Officer (DPO) | Chief Privacy Officer (CPO) | |
Alternative job titles |
None | Privacy officer, privacy leader or privacy counsel |
Job function | Ensure compliance with GDPR | Direct company-wide privacy strategy |
Scope | Specific to GDPR | Data privacy in general |
Advocate for | Data subjects | The CPO's organization |
Point of contact for |
Regulatory authorities and the public (in relation to GDPR) |
The media (in relation to general privacy matters) |
Required by law | Yes | No |
Until relatively recently, a career in data privacy wasn't a choice of occupation in its own individual right. Instead it formed part of a range of duties performed by legal, IT or other professionals within another job function.
But as data privacy has moved up the company agenda, these responsibilities have evolved into a mission-critical full-time occupations, namely the data protection officer and chief privacy officer. Of course, there are still areas to distinguish between them, for instance where responsibility falls when it comes down to data privacy vs. data protection.
Such roles will be pivotal to changing perceptions about privacy in the future and also bring clarity where there is currently misunderstanding about the business benefits of hiring a privacy professional.
If you’re looking for the tools that will help drive either the position of DPO or CPO, Cloud Compliance offers an easy way to automatically pinpoint and report on all of the sensitive private data that your organization has within its cloud-based storage volumes. This can make performing the company-wide role of the CPO or the advocate position of the DPO much easier to carry out.