DPO or compliance officer ?

Explore the unique role of a GDPR-regulated Data Protection Officer (DPO) and how it differs from titles like Data Privacy Officer. Learn about the DPO's exclusive responsibilities, appointment process, and their pivotal role in ensuring GDPR compliance.

It’s very important to understand the difference between a Data Protection Officer and all other titles such as Data Privacy Officer, compliance officer, GDPR compliance officer, and for one reason : only the Data Protection Officer (DPO) is regulated by the GDPR. In practical terms this means, the DPO has specific tasks he needs to conduct, specific position and specific protection in regard to his liability.

And that’s not the case with all the other titles.

In an organization, someone might be responsible for GDPR compliance without being a DPO, and provided the organization doesn’t have to designate a DPO, that’s perfectly fine. The Data Protection Officer, however, is appointed through a procedure outlined in the GDPR, which involves distinct responsibilities such as monitoring adherence to the regulation, providing advice on data protection impact assessments, and overseeing their execution.

So in order to determine if your organization needs to appoint a DPO, or if it would be beneficial, let’s look at the cases where a DPO is mandatory.

Is a GDPR DPO Mandatory?

Organizations are required to ensure compliance with the GDPR, and for sure, this necessitates having at least one person responsible for this task (a “lead” or “mission officer” for the GDPR).

Yet, the appointment of a GDPR DPO is mandatory only in three scenarios (Art. 37):

  • If the organization is a public authority or body;
  • If the organization conducts large-scale, systematic monitoring of individuals;
  • If the organization’s core activities involve large-scale processing of sensitive GDPR data (Art. 9 and 10), such as health data.

Outside of these cases, appointing a DPO remains optional.

Is It Advisable to Appoint a DPO?

It is absolutely essential to have someone within the organization who is trained, and whose mission is to ensures the obligations imposed by the GDPR are being met.

The DPO can partially play this role, or it can also be a person who has undergone GDPR training to ensure that the organization complies with data protection regulations.

In cases where the desgination of a DPO is mandatory the situation is simple : the organization will have to appoint a DPO. However do not expect the DPO to handle the GDPR compliance of the organization, that’s not his role at all! Yes, this adds to the confusion of the reality of the role of the DPO, but there’s a fundamental segmentation of responsibilities : the DPO is not the controller, and he is independant from him. Therefore it’s not his role to ensure the compliance of the organization, that’s the controller role! Do not confuse that. Let’s look at article 38.7:

Art. 38.3 The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks.

The role of the controller is defined in article 4 :

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

Therefore, the controller has to handle its own GDPR compliance, independently from the DPO, as he will be the one liable for it.

An easy way to understand the position of the DPO is to see him as an employee of the national control authority, but paid by the controller. The DPO is independent from the controller, gives feedback about the level of compliance, does not organizes the overall GDPR compliance of the organization, but helps reviewing the work and provides independant opinion in that regard.

Beyond the 3 cases where the organization has to appoint a DPO, it’s designation through the procedure outlined in the GDPR is to the choice of the controller. Can it be beneficial ? Sure. In particular in very large organizations (fortune 500, CAC40…) where a legal team is in charge of compliance, and the DPO will offer indenpendant assessement of the work and quality control.

Two important requirements for the DPO

If the organization decides to appoint a DPO, two important requirements will need to be met (Art. 37.5), specifically:

  • Knowledge of data protection law and practices
  • Ability to fulfill their responsibilities

Fortunately a full DPO training is already included in Legiscope so there are no additional costs for organizations that choose our software ; our training has been delivered to a significant number of DPO of CAC40 companies and is very highly rated.

How is the GDPR DPO Appointed?

If an organization wishes to appoint a DPO in accordance with GDPR requirements, it must designate this individual directly to the national supervisory authority - in France, for example, the CNIL, who has an online procedure.

Alternatively, if an organization simply wants someone to handle these matters without formal DPO designation, no procedure is required beyond ensuring that their responsibilities are included in the job description of the employee or in the service contract with the chosen provider.

Can the DPO be an External Party, or Must They Be Internal?

The DPO can be either an internal employee or an external service provider. Article 37.6 of the GDPR specifically allows for this:

  1. The data protection officer may be a staff member of the data controller or processor, or fulfill their tasks on the basis of a service contract.