1.) What is a DPO, anyway? What are they even supposed to do? In a nutshell, the data protection officer is a senior adviser with oversight of how your organization handles personal data. Specifically, DPOs should be able to: Inform and advise your organization and staff about their privacy compliance obligations (with respect to the EU General Data Protection Regulation and other data protection laws). Monitor privacy compliance, which includes managing internal data protection activities,... Read More

In my recent Privacy Advisor articles on the essential job skills and the appropriate professions of Data Protection Officers (DPOs) under the General Data Protection Regulation (GDPR), I discussed the statutory language of the GDPR and my interpretation of it. I also wanted to understand how others are viewing the DPO role under the GDPR, especially those who are currently in the roles responsible for compliance with this upcoming law. To achieve this, I reached out to a national association o... Read More

What does the General Data Protection Regulation require for DPOs and what do those requirements mean for the DPO’s job skills? In this article, Thomas Shaw summarizes the necessary skills. Read More

In January, Thomas Shaw wrote an article for The Privacy Advisor on the essential job skills of data protection officers under the General Data Protection Regulation. Having read it, Emma Butler responded online with her views, and, after some back-and-forth, the two decided to write an article together highlighting the many areas they agreed upon and further analyzing where their perspectives and insights differed. To Shaw, the DPO must be a lawyer. Specifically, a privacy- and technology-focused lawyer. Butler strongly disagrees. She says, “there are many examples of successful DPOs and CPOs who are not lawyers.” In this point-counterpoint, the two square off. Read More

The data protection officer role is a new feature for many organizations now subject to the EU General Data Protection Regulation. Critically, for many companies, designating a DPO is not optional. The Article 29 Working Party (now the European Data Protection Board) further suggests that it may be in the interest of companies not legally required to designate a DPO to do so anyway, whether “internal” or “external.” Considering that data protection officers — whether inside or outside of the org... Read More

The Spanish data protection authority is the first in Europe to set up regulations for data protection officer certification schemes. The rules explain in detail what someone will need to demonstrate and do in order to become a DPO in the country. The EU General Data Protection Regulation, which will come into effect in May next year, mandates that companies engaging in large-scale monitoring of people, or handling a significant amount of sensitive personal data, will need to appoint a DPO. The... Read More

The GDPR applies to controllers and processors that process personal data of individuals in the EU, regardless of where the organization is established in the world. Those organizations that are not established inside the EU are required to appoint a representative who is established in the EU for purposes of GDPR compliance. The GDPR also requires a data protection officer under some circumstances, and makes the role voluntary otherwise, and the Article 29 Working Party recommends the DPO be lo... Read More

A significant number of business decisions, irrespective of discipline, are marred by dilemmas. For data protection officers, dealing with dilemmas is part and parcel of the job. Before diving into the dilemmas facing a DPO, consider the perspective of a consumer advocate. Essentially, a DPO is an advocate of the data subject. If, for example, you purchase a car, TV or children's toy, you have rights as a consumer — a return guarantee on faulty products and an assurance the product does not pre... Read More

Personal data protection and whistleblowing are two different topics — different regulations with different purposes, scope and requirements. But, in fact, they are closer than they seem, especially for practical reasons. Both data protection governance and whistleblowing systems are often exercised by the same unit —  the compliance department — or even by the same person. This solution offers several advantages, but also some problematic points that need to be highlighted and clarified in adv... Read More

Data protection officers could be "solicited" by their data protection authority in the "weeks and months to come" as part of the European Data Protection Board’s freshly launched 2023 coordinated enforcement action, Deputy Head of the EDPB Secretariat Gwendal Le Grand told DPOs at the IAPP Data Protection Intensive: France 2023. Le Grand's warning comes as the EDPB announced Wednesday that 26 data protection authorities will participate throughout the year in the coordinated action, focused on... Read More

Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed. In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and metho... Read More

Sweden's data protection authority, the Integritetsskyddsmyndigheten, released "Data Protection in Practice," a privacy operations management survey of more than 800 Swedish data protection officers. Four in 10 respondents said their companies work "continually and systematically with data protection" and half of all respondents said company management is receptive and understanding of data protection matters. IMY Analyst Andrea Amft said the survey results are "concerning" while noting DPOs req... Read More

Spain's data protection authority, the Agencia Española de Protección de Datos, reported the number of data protection officers in its database has exceeded 100,000. All companies, public bodies and organizations that have a DPO are required to report it to the AEPD and the database is free and available to the public. Of the 100,000 registered DPOs, the AEPD said "91,221 correspond to the private sector and 9,129 to the public sector."Full Story... Read More

In July, the U.K. government introduced the Data Protection and Digital Information Bill, setting out its proposed amendments to U.K. data protection laws. The proposals stem from a consultation conducted by the Department for Digital, Culture, Media and Sport last year. The consultation received nearly 3,000 responses from domestic and overseas organizations representing a cross-section of the U.K. economy. However, not all changes proposed in the bill were included in the consultation process.... Read More

Do Israeli privacy laws mandate the appointment of a data protection officer? The simple answer is that currently, it is not entirely clear. Israel faces significant changes to its privacy laws and the duty to appoint a DPO may either become part of the law or remain a regulatory recommendation only. On Jan. 25, the Protection of Privacy Authority released guidelines on the appointment of data protection officers, their roles and responsibilities. The guidelines set forth recommendations and re... Read More

China's Personal Information Protection Law has been in effect since Nov. 1, 2021, but privacy professionals and organizations are still trying to fully grasp the law's key provisions and nuances. In this third article in a five-part series exploring the top 5 operational impacts of the PIPL, Xiaomi Head of Security and Privacy Compliance Wenkuan Song analyzes the law's personal information protection officer requirement with a look into which companies need to appoint an officer, general respon... Read More

The Indian Parliament moved one step closer to passing what would be the nation’s first comprehensive data protection law when, in December, a joint committee released a long-awaited report that recommended substantial changes to the original version of the comprehensive legislation. Although Parliament has yet to submit a version of the bill for a final vote, many experts think that will happen this year.  The report is the result of a two-year deliberation by the committee during which it con... Read More

Appointment of a data privacy officer is regulated in detail under the EU General Data Protection Regulation. Mandatory DPO appointment is imposed under certain circumstances, and legal requirements are determined for the DPO role in terms of qualification as well as authorization. Under the Law on Protection of Personal Data numbered 6698 in Turkey, there is no legal requirement to appoint a DPO for data controllers, but there is a role introduced for the purposes of fulfilling the data control... Read More

Brazil’s General Data Protection Law is now in effect. Much like the EU General Data Protection Regulation, the LGPD has extraterritorial applicability, meaning any organization processing personal data in Brazil must comply with the law irrespective of the company’s location. One of the LGPD’s requirements for such companies under Article 41 is that they must appoint a data protection officer to be “in charge of processing personal data.” Given the prevalence of data processing in today’s digit... Read More

The attention on the data protection officer function has been substantially increased after the EU General Data Protection Regulation entered into force, and that has brought a lot of discussions and doubts regarding how to implement its role in an effective manner without excessive burden to the organizations and, of course, in a way to fully comply with the regulation. The following is a consolidation of some of the most enlightening decisions outlined by European data protection authorities... Read More

As the EU General Data Protection Regulation approaches its first birthday, hundreds of thousands of privacy professionals have jobs tied to the milestone. New IAPP research indicates that an estimated 500,000 organizations have registered data protection officers across Europe under the GDPR. The GDPR, which has been in force since May 2018, requires public authorities and companies monitoring individuals or processing special categories of their data on a large scale to register a DPO who has... Read More

Late May is a good time for privacy regulations to come into effect. Prior to May, short days, cold weather and rain typically keep us indoors anyway, so what better to do than work on data protection? But, after May, it’s helpful to have things mostly in order to allow for more time wandering in and thinking about nature instead of data. Isn’t it? Well (wistfully), for many data protection officers, May 25, 2018, was hardly an ending. At the IAPP, we kept working into the summer and beyond to ... Read More

1.) What is a DPO, anyway? What are they even supposed to do? In a nutshell, the data protection officer is a senior adviser with oversight of how your organization handles personal data. Specifically, DPOs should be able to: Inform and advise your organization and staff about their privacy compliance obligations (with respect to the EU General Data Protection Regulation and other data protection laws). Monitor privacy compliance, which includes managing internal data protection activities,... Read More