Data Protection Officers 101

Data Protection Officers 101

Many privacy laws around the world say you must have a designated employee responsible for complying with rules about personal data. The most common term is "data protection officer," though some laws use an alternative term.

In this article we'll run through the requirements for all of the major laws that may affect your organization, along with some key principles for your data protection officer.


The GDPR: Does it Affect Me?

Although the General Data Protection Regulation (GDPR) is a European Union regulation, its scope is not limited to EU countries. You must comply with the GDPR in three circumstances:

  • You are processing personal data about somebody in an EU country
  • You process personal data and your organization has a presence (for example, a branch office or registered company) in an EU country
  • You process personal data and the processing physically happens in an EU country (for example, in a data center)

Processing means any use of personal data, including collection and disclosure. You must also comply with the GDPR if you are a data controller, meaning you make the decisions about what and how to process data, even if another company physically carries out the processing.

Use FreePrivacyPolicy.com to generate the necessary legal agreements for your website/app:

And check our Free Cookie Consent and make your business legally compliant with the Cookies Directive in the EU.

Although the United Kingdom is no longer an EU member, at the time of writing the measures of GDPR still remain in force in the UK through domestic law.

Does the GDPR Require a Data Protection Officer?

Does the GDPR Require a Data Protection Officer?

The GDPR says you must appoint a data protection officer in three circumstances.

  • You are a public authority or body. (This doesn't include courts when acting in a judicial capacity.)
  • Your core activity involves "regular and systematic monitoring of data subjects on a large scale." (In simple terms, data processing is the heart of what your business does.)
  • Your core activities include large scale processing of personal data designated special categories. These include the following:

    • Biometric data
    • Criminal record information
    • Data about sexual orientation and other sex life issues
    • Genetic data
    • Health data
    • Political, religious or philosophical beliefs
    • Racial or ethnic origin
    • Trade union membership

You can voluntarily appoint a data protection officer even if you don't meet this criteria. Doing so may make it easier to comply with the other measures of the GDPR.

What Must the Data Protection Officer Do?

Your data protection officer must have expert knowledge of data protection rules and have the ability to carry out their designated tasks. The GDPR says these tasks must include the following, at Article 39:

  • Inform and advise your organization and employees about their responsibilities to comply with the GDPR
  • Monitor compliance with the GDPR
  • Train staff on data processing rules and assign relevant responsibilities
  • Cooperate with the supervisory authority (a national body in the relevant country that enforces the GDPR)
  • Act as a contact point for the supervisory authority
  • Carry out a data protection audit when your organization is planning data processing that creates a high risk to people's data rights

The GDPR also says you must designate a method of contact for people to make data access requests or to ask that their personal data be corrected or deleted. Although the GDPR doesn't make it mandatory to have the data protection officer be this contact, it normally makes sense to do so.

Civica gives a direct contact for its Data Protection Officer:

Civica Privacy Notice: Our Contact Details clause - DPO section highlighted

Now let's take a look at some other laws that require similar roles in certain circumstances.

PIPEDA: Does it Affect Me?

PIPEDA: Does it Affect Me?

Personal Information Protection and Electronic Documents Act {PIPEDA} is a Canadian federal law. As a general principle it applies if you are a private sector (for profit) organization and you handle personal information as part of your business.

The main exceptions are cases where your organization is already covered by local laws that have similar measures to PIPEDA. These include organizations that operate entirely in Alberta, British Columbia or Quebec. Some health information is covered by local laws in other provinces, meaning the processing doesn't come under PIPEDA.

You are always covered by PIPEDA if you are a federally regulated business in Canada.

Does PIPEDA Require a Data Protection Officer?

The first of PIPEDA's ten key "fair information principles" requires that you have a designated privacy official. This is the same concept as the data protection officer role set out in other privacy laws.

What Must the Data Protection Officer Do?

The designated privacy official is responsible for your organisation complying with PIPEDA, including the fair information principles. Their tasks must include the following:

  • Carry out a privacy impact assessment
  • Develop and implement procedures to protect personal information
  • Oversee staff training on privacy issues
  • Develop your Privacy Policy and make it readily available. This must include the designated privacy official's name and contact details.
  • Receive and respond to complaints about your compliance with PIPEDA.

You must give a name and contact details for people to make data access requests. Normally this contact should be your designated privacy officer.

Australia's Privacy Act: Does it Affect Me?

Australia's Privacy Act: Does it Affect Me?

The Privacy Act applies in any three situations:

  • You are an Australian government agency.
  • Your annual turnover is more than AUD $3 million.
  • Your annual turnover is $3 million or less but your business is of a type specified in the act. Key examples include private sector health providers, credit reporting bodies, and businesses contracted to provide services to the government.

The Act covers any organization in these three groups when handling personal information about an Australian resident. The organization's location doesn't matter.

Does the Privacy Act Require a Data Protection Officer?

The Privacy Act itself does not specifically require a data protection officer.

The Privacy Commissioner, who oversees the Act's enforcement, has published guidelines on compliance. This gives the example of "designated privacy officers" as something you should "consider implementing" to make it easier to comply with the Act.

What Must the Data Protection Officer Do?

As the Act doesn't specifically require a Data Protection Officer, the role doesn't have legal requirements. The organization as a whole must comply with 13 Privacy Principles.

The Sydney Morning Herald has a privacy officer despite it not being a legal requirement:

Sydney Morning Herald Privacy Policy: Contact Privacy Officer clause

Remember that while this Act may not require a data protection officer, your business may also fall under the scope of other laws that do require this. So, it's best to err on the side of having someone in this role.

New York SHIELD Act: Does it Affect Me?

New York SHIELD Act: Does it Affect Me?

This covers anyone, regardless of location, who holds or uses personal data about New York state residents.

Does the SHIELD Act Require a Data Protection Officer?

Although the SHIELD Act doesn't use the term "data protection officer" it does require a business to use safeguards to protect personal data against loss, disclosure or damage. The law lists suitable safeguards, including designating one or more employees to coordinate your security program.

What Must the Data Protection Officer Do?

While the rules only specify that the designated employee must coordinate the security program, your business as a whole must use a combination of administrative, technical and physical safeguards to protect data.

You must also make sure to report any data breach to the affected consumers along with the state Attorney General, the New York Department of State and the state's Office of Information Technology Services.

In most cases it will make sense for the designated employee to oversee all the safeguards. They could also take responsibility for notifications or this could be somebody else's role.

The New York State Department of Financial Services has a dedicated official for privacy rules:

New York Department of Financial Services Privacy Policy: Request for Records clause with Privacy Compliance Officer contact information

If you have someone who operates as your privacy officer, make sure to include the individual's contact information somewhere in your Privacy Policy.

LGPD: Does it Affect Me?

LGPD: Does it Affect Me?

This Brazilian law (Lei Geral de Proteção de Dados Pessoais) applies if you process personal data for commercial purposes in one of four circumstances:

  • The data is about a resident of Brazil
  • The processing happens in Brazil
  • The data was originally collected in Brazil
  • You process the data so that you can offer products or services in Brazil

Note that your own location doesn't matter.

Does the LGPD Require a Data Protection Officer?

Yes, the law specifically says you must appoint a data protection officer.

What Must the Data Protection Officer Do?

The data protection officer has three responsibilities under the LGPD:

  • Handle complaints and data access requests from data subjects (the people the personal data is about)
  • Educate, train and inform employees and contractors about the LGPD's requirements
  • Act as a point of contact for Brazil's Data Protection Agency, which enforces the LGPD

LinkedIn has complied with the LGPD by appointing a data protection officer:

LinkedIn LGPD page: Data protection officer contact information highlighted

While this page at LinkedIn explicitly mentions the LGPD, this isn't a requirement. Simply having a data protection officer and disclosing contact information will suffice.

POPI: Does it Affect Me?

POPI: Does it Affect Me?

This South African law (Protection of Personal Information Act) applies to anyone who processes personal data and is legally based (domiciled) in South Africa.

The law also applies to any processor outside of South Africa that uses "automated or non-automated means in the [country.]" This is generally interpreted as covering processing of personal data about somebody who is in South Africa, regardless of the physical locations of any servers or data centers.

Does POPI Require a Data Protection Officer?

The POPI Act says you must have an information officer, the law's term for a data protection officer. By default this is the head of your organization, typically your CEO. You can designate another employee as information officer but you must register this designation with the country's Information Regulator.

What Must the Data Protection Officer Do?

The POPI Act lays out four key responsibilities for the information officer:

  • "Encourage" compliance across your organization to make sure you process personal information lawfully.
  • Receive and respond to any requests made under the POPI Act such as data access requests or opting out of direct marketing.
  • Work with the regulator to get advance authorization for some forms of sensitive data processing such as criminal records and credit reporting.
  • Any other steps to make sure the organization complies with the POPI Act.

Singita's Privacy Policy confirms it has appointed an information officer:

Singita Privacy Policy: Introduction clause - Information Officer contact information highlighted

As you can see, not every law requires a data protection officer, while some do but use different terminology. As a best practice, you should have someone on staff who is more versed in privacy issues who can handle any issues that may arise.

General Principles for Your Data Protection Officer

General Principles for Your Data Protection Officer

Different laws have different rules on appointing your data protection officer and their position in your hierarchy, though some key principles are suitable in all cases. These are some key points to consider.

In-House or External Role

Unless a privacy law says otherwise, you'll usually have the choice between appointing an in-house employee as data protection officer or hiring an external consultant to hold the role.

The advantages of in-house include familiarity with your business and potential cost savings if you can combine their data protection officer role with other duties. You must make sure this doesn't create a conflict of interests.

The advantages of an external consultant are that they can oversee your compliance from an unbiased perspective and they may have specialist skills and knowledge that you can't find in a current or future employee.

Note the GDPR says you can have a single data protection officer to cover multiple companies. However, they must have the capacity to carry out their duties across all the companies.

Independence

Many privacy laws say a data protection officer must have operational independence in carrying out their duties. For example, Article 38 of the GDPR says you must not tell a data protection officer how to do their job and you cannot dismiss or penalize them for carrying out their duties.

Authority

Many privacy laws specify that your data protection officer must have the resources and authority to carry out their duties. For example, PIPEDA guidelines say that "Your designated privacy official should have the support of senior management and the authority to intervene on privacy issues."

Summary

Let's recap what you need to know about data protection officer roles under different privacy laws.

  • Many privacy laws require a designated employee to handle privacy issues, commonly called a data protection officer. Key tasks in the role usually include complying with privacy laws, cooperating with supervisory authorities and handling data access requests. We've listed other tasks required by specific laws below.
  • The GDPR covers personal data processing about EU citizens, by EU businesses or in EU countries. It requires a data protection officer if you're a public body or if your core business activity involves large scale or sensitive data processing. The data protection officer must train staff on data processing rules.
  • PIPEDA affects many for-profit businesses in Canada. It requires a designated privacy official. Their tasks include training staff and developing and publishing a privacy policy.
  • Australia's Privacy Act covers most government agencies and large businesses, plus smaller businesses that handle sensitive personal data. The Act doesn't require a data protection officer but the accompanying guidance says appointing someone to the role will make compliance easier.
  • The New York SHIELD Act covers anyone handling personal data about state residents. It doesn't require a data protection officer but does specifically suggest designating somebody to oversee a security program. This should include administrative, physical and technical safeguards.
  • The LGPD covers most personal data processing with some connection to Brazil. It specifically requires affected organizations to appoint a data protection officer. Their duties include training and educating staff and contractors about privacy rules.
  • The POPI Act covers most personal data processing by organizations in South Africa or about South African residents. All affected organizations have an information officer, either your organization's head (the default option), or somebody else that you designate and register with the Information Regulator. The information officer's role includes getting advance authorization from the Information Regulator for some sensitive data processing.
  • Most privacy laws let you choose between an in-house employee and an external consultant for the data protection officer role.
  • Your data protection officer should have the independence and authority to perform their role effectively.