Before understanding who should be appointed as a Privacy Officer or Data Protection Officer (DPO), it is necessary to understand what these positions effectively mean.
In different jurisdictions, companies have obligations to comply with the various legislations regarding privacy and protection of personal data. Some require a Data Protection Officer, for others the appointment of an internal officer is sufficient. Yet there are other regulations where there is no specific requirement to appoint a person to fill this role, as long as the company complies with the general privacy rules. Based on that, there are different roles that can assist on Privacy Compliance, whether they are expressly mentioned in the legislation or not.
The Data Protection Officer is one of the most popular roles in the Privacy field, relevant in managing and handling legislation such as GDPR and LGPD. Under GDPR, for example, there are some specific requirements to its designation, such as the DPO independence vis-à-vis the Data controller to perform their work. Moreover, these individuals should be officially designated with a Data Protection Authority in the competent jurisdiction.
On the other hand, in Canada, under PIPEDA, PIPA Alberta, PIPA British Columbia and, starting September 22, 2023, the recently modified Quebec Privacy Act, organizations are required to appoint an individual responsible for compliance with the privacy obligations. For instance, under the new rule in Quebec, if no one is appointed, the CEO is deemed responsible for the privacy protection by default. Under the Canadian legislations, this role is rather like a “Privacy Officer” than the sense of a “Data Protection Officer” provided by GDPR.
Regardless of the title of the position and the specifics brought about by each different piece of legislation around the world, it is important to observe some principles when appointing the person in charge of your privacy program.
If you need to appoint a DPO, a Chief Privacy Officer (CPO) or equivalent, be sure to select a person who is a good fit for the role, considering someone who:
An organization should always have clear lines of responsibility for these roles and make the designated person be known by the coworkers and the external public as reference for privacy and personal data protection matters the organization.
Finally, it is also important to remember that this role does not necessarily have to be performed by an internal employee but can be outsourced to a specialized person or company that has the necessary resources and expertise to perform these privacy and personal data protection compliance activities.
To learn more about how Hitachi Systems Security can help you in this endeavor, please check our DPOaaS Brochure.
Reach out to our team for more information!