Data Protection Officer (DPO)

DEFINITION of 'Data Protection Officer (DPO)'

A data protection officer (DPO) is a position within a corporation that acts as an independent advocate for the proper care and use of customer’s information. The role of a data protection officer was formally laid out by the European Union as part of its General Data Protection Regulation (GDPR). Under the regulation, all businesses that market goods or services to customers within the European Union and collect data as a result must appoint a data protection officer. The data protection officer keeps up on laws and practices around data protection, conducts privacy assessments internally, and ensures that all other matters of compliance pertaining to data are up-to-date. Although the EU legislation is prompting the creation of data protection officer roles, other nations are looking at data privacy issues and may require similar roles through updated regulations

BREAKING DOWN 'Data Protection Officer (DPO)'

The GDPR is obviously an important piece of legislation for all companies doing business in the EU, and the appointment of a data protection officer (DPO) is one of the key requirements. The DPO is on the hook for making sure a company is in compliance with the aims of the GDPR and other relevant legislation. This includes setting defendable retention periods for personal data, authorizing specific workflows that allow data to be accessed, outlining how retained data is anonymized and then monitoring all these systems to ensure they work to protect private customer data.

This is a big job, and at larger companies the role of the DPO may require an office full of staff rather than one person. In smaller organizations, the chief information security officer (CISO) may be called upon to wear both hats. The idea of having professional DPOs monitoring several companies for compliance has also cropped up - similar to outsourcing finance reporting to an accounting firm.  

Data Protection Officer Versus Other Data Roles

The chief information officer (CIO), CISO, or chief data officer roles that already exist at many corporations are fundamentally different than what is envisioned in the data protection officer role. These roles generally deal with keeping a company’s data safe and making sure that these troves of data are being exploited to improve business functions across the company. The data protection officer works on behalf of the customer’s privacy. As a result, many of the recommendations of a data protection officer will run contrary to the aims of other data roles.

Instead of holding onto valuable data indefinitely or using insights gathered in one business line to inform another, the data protection officer will be there to ensure only the minimum data needed to complete a transaction is collected and retained. The GDPR creates a strong demand for data protection officers, but it doesn’t make their job easy.