Understanding the role and need of a data protection officer

Third in a series of three articles about the changing nature of data strategy for businesses. The first article is here. The second article is here. Excerpted from Data Leverage: Unlocking the Surprising Growth Potential of Data Partnerships by Christian J. Ward and James J. Ward. Reprinted with the authors’ permission. More data strategy and data privacy articles can be found at Ward PLLC.

Introducing the Data Protection Officer

Based on our experience in our law firm, you should be considering a data protection officer. As the name suggests, this is an officer-level position dedicated to the protection of your data. People typically confuse this role with the roles of the chief information officer, chief data officer, or chief technology officer.

Each position’s responsibilities are actually different, although one of those individuals could technically fulfill the role of DPO. If data protection is a clear part of their job this may make sense. The real difference though, is that none of those other C-level roles is mandated by Europe’s General Data Protection Regulation.

The GDPR applies to companies that market or sell to Europe, even if the company isn’t itself located in the European Union. And even if your company does not have a presence in Europe, the concept of appointing a competent, capable individual to oversee your data security and privacy policies is simple good sense, regardless of whether it is a legal requirement, for reasons we set forth below.

The DPO is responsible for the ongoing protection of customer data and sensitive data within an organization. They represent the customers’ interest in protecting data at the company they work for, and the company’s own interest in complying with data security laws.

Additionally, companies that are mandated to have a DPO under the terms of the GDPR cannot terminate the DPO simply for doing their job. The DPO is protected, and therefore has the ability to give unbiased counsel and guidance. This is a unique situation that helps ensure that companies required to appoint a DPO are also not permitted to prevent the DPO from representing the best interest of their customers (or data subjects).

A DPO is supposed to speak up for the data, and the individuals that the data represents. In chapter 2 we explained that most data of business value is actually about a person. That understanding is crucial to the faithful execution of the role of the DPO.

The GDPR mandates a DPO for those businesses that process large amounts of personal data or engage in ongoing tracking and monitoring of personal data. Consult your regulatory experts to determine if a DPO is mandatory for your business. Even if it isn’t, we believe most companies should have one.

The DPO works alongside of the other C-suite officers at your firm and maintains Data Protection Authority rules and regulations. This means that they should be expert or well-versed in the GDPR and all of its requirements, but it also means that the DPO needs to understand other jurisdictional requirements around the world in places your business operates.

This responsibility is a serious one, and you should review the information available at the International Association of Privacy Professionals (IAPP) for further clarity. The IAPP is the world’s largest information privacy community and provides comprehensive data privacy and regulatory certification training.

Because you have gotten this far, you must believe that your business has opportunities to create value through your data and data partnerships. You have also certainly noticed the seemingly daily disastrous headlines about data breaches plaguing companies.

There have been hundreds of different data breaches involving more than 30,000 records each; some of these breaches affected hundreds of millions of data subjects. There may be others we don’t know of yet, as well as additional breaches that affected fewer records. The actual instances of data being misused, stolen, or mishandled are too numerous to track.

When gurus like us say that “data is the new currency,” they typically are discussing ways you can transact and make money with your data. But data is subject to the same risks as currency, including theft, embezzlement, counterfeiting, and seizure.

Once you understand data as currency, you recognize why you must put forth the same effort toward protecting data as you do to protecting financial accounts and access to your business coffers. This is why we consider the DPO to be just as essential as the CFO.

The DPO is authorized to work throughout a business to review any practices related to the data of the business and its customers. This implies a close working relationship with every division and manager, but also a comprehensive, firm-wide view of data assets.

Don’t overlook the need for strong interpersonal and communications skills for your DPO. While they aren’t responsible for creating data partnerships, the DPO is the ideal person to review each arrangement for potential risks or threats. Your finance department includes roles to help you identify risky behavior; you could similarly use a sheriff for data protection practices across your company.


Christian J. Ward


James J. Ward