The question of where to place, and how to structure, the privacy function is a crucial one for organisations striving for privacy excellence. The Data Protection Officer (DPO) and Chief Privacy Officer (CPO) are two key roles for any global organisation processing personal data at scale. While they have overlapping responsibilities, they are in fact distinct roles with different focuses.
The GDPR defines the key responsibilities of the DPO as follows:
· to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
· to monitor compliance with the GDPR and other data protection laws and the data protection policies of the organisation, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
· to provide advice, where requested, about the data protection impact assessment and monitor its performance
· to cooperate with the supervisory authority and act as the contact point for them on issues relating to processing
In essence, the DPO is the guardian of privacy and data protection standards, the main interface with regulators and supervisory authorities and the advocate for interests of consumers, customers, employees and other data subjects. Under the GDPR, once certain processing thresholds are reached, the appointment of a DPO is a legal requirement.
The appointment of a CPO is not a legal requirement. Nonetheless, most large organisations (or those involved in high-risk data processing) have a CPO as a privacy leader or someone who heads the privacy function. Key CPO responsibilities include:
· Acting as the champion for privacy and data protection in the organisation
· Representing the privacy function at C-suite level
· Ensuring privacy by design and that the business grows in a privacy-compliant manner
· Liaising with the media on privacy-related issues
· Implementing privacy-related projects and major new data processing activities
· Leading privacy governance and compliance within the organisation
The CPO is responsible for designing, implementing and championing the privacy programme of their organisation. While they need to have data subject interests in mind, the CPO acts primarily as an advocate for the organisation.
Conflicts of Interest
The French CNIL and other DPAs have indicated that the DPO should not act as ‘judge and jury’ in their oversight of privacy compliance. This casts doubt on whether the CPO of an organisation can also act as its DPO.
The CPO is frequently a lawyer although the Dutch AP has said it is doubtful whether the DPO can be a lawyer for the organisation (such as GC or CPO) and hold the DPO position at the same time.
Whereas the CPO is responsible for building the privacy programme and ensuring its efficacy, the DPO is responsible for oversight and compliance with frameworks such as the GDPR, CCPA, LGPD or other privacy regulation.
It is crucial for any organisation that there a good relationship between the CPO and DPO, including having clear lines of responsibility.
Locating the privacy organisation
According to the GDPR, the DPO must report to the highest levels of management in the organisation. In some senses, the DPO is a free-standing position within an organisation: it is a docking point for regulators and data subjects. This allows for the possibility of appointing an external DPO, which has certain advantages, namely independence and expertise.
The CPO, on the other hand, is integrated into existing functions such as Legal, Compliance, Regulatory or IT. Although there is no perfect fit for the CPO in terms of its positioning, the role should have sufficient seniority to engage cross-functionally across the organisation and to cascade instructions on privacy-related issues. Similarly, the privacy organisation should be sufficiently embedded so it is connected to Legal, Compliance, IT, Audit and senior management.