General security

The difference between a compliance officer and a data protection officer

Beth Osborne
November 22, 2018 by
Beth Osborne

With the introduction of GDPR (General Data Protection Regulation), the European Union’s latest data privacy act, organizations across the globe must meet compliance requirements. GDPR is changing the way companies handle customer data.

The new legislation was created to standardize data protection regulations across all 28 countries in the EU. It also imparts a great level of control amongst consumers regarding their personal data. GDPR ushers in a new era as for the first time, digital privacy will be legally enforced. The regulations went into effect on May 25th, 2018.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

There are many essential aspects of the regulation. Companies will be held accountable for any breach of privacy, with large fines possible. To comply, organizations need to make changes to their website and opt-in policies. The impact to business is significant and is changing the way companies collect, store and use customer data.

GDPR applies to all organizations holding and processing EU residents’ personal data, which means the company doesn’t have to be in the EU in order to be affected. Organizations outside the EU must adhere to these requirements as well.

The GDPR also adds another layer to a company’s information security practices. Many will need to hire people to fill a new role, the Data Protection Officer (DPO). Most companies already have a compliance officer, so how will the DPO differ from this current role?

First, let’s look at the role of the DPO.

What us a Data Protection Officer (DPO)?

A DPO has the formal responsibility for data protection compliance within a company. In certain countries, including Germany, the DPO has become a legal obligation; however, not every company will require a DPO. GDPR defines three different types of organizations that must appoint a DPO:

  • Public entities
  • Companies with large-scale systematic monitoring of individuals
  • Companies that process special types of data such as health, gender and religion

The size of the company by employees does not matter; rather, the determining factor is the actions by the company, which designate it as needing a DPO. However, the European Article 29 Working Party (WP29) has addressed the role as being a recommendation for all companies.

What does a DPO do?

The duties of the DO are defined in Article 39 of the GDPR and include:

  • Monitor compliance with the GDPR and other national data protection laws as well as policies established by controllers or processors for the protection of personal data
  • Perform internal audits to ensure compliance
  • Elevate awareness within the organization about compliance requirements
  • Train staff involved in processing operations
  • Act as a liaison between the organization and supervisory authorities
  • Manage internal data protection activities
  • Advise on data protection impact assessments

An important part of the DPO’s role is to remain independent while conducting these duties. The organization cannot tell them how to perform their duties and must also provide them with the resources needed to carry out their duties.

What is a compliance officer?

Now that you know about the role of the DPO, it’s important to differentiate it from the role of the compliance officer. The central responsibility for a compliance officer is to ensure the company is conducting all its business activities in accordance with national and international laws as well as specific industry requirements.

Compliance officers serve both an ethical role and a practical one. They help manage risk, maintain a favorable reputation and avoid litigation.

Those in these roles must have a deep understanding of industry and standard business law. Not only is the compliance officer charged with keeping business operations compliant, they also often take part in educating the entire company about compliance and establishing practices to foster this kind of culture.

Compliance officers are found most often in healthcare and finance, but other highly-regulated industries may also have such a role. Related to responsibilities, there are two levels:

  • Level 1: Compliance with the external rules imposed upon an organization as a whole
  • Level 2: Compliance with internal systems of control to attain compliance with externally-imposed rules

Differences between a DPO and compliance officer

As you can see, there are similar duties and requirements for these roles. The major differentiation is that the GDPR defines the DPO and mandates the role in some situations, while a compliance officer is not a role defined by any particular regulation and the role can differ from organization to organization. The compliance officer is tasked with ensuring compliance across every compliance requirement,  whereas the DPO is focused solely on GDPR. The DPO also needs independence to operate; compliance officers don’t necessarily need this separation.

Reconciliation of various governance functions

GDPR isn’t the only governance rule that organizations must follow regarding data privacy. There are additional regulations like FINRA and HIPAA. Thus, all compliance team members must work together to have a full view of all compliance requirements on both the business level and the individual level. Many of these laws overlap in what’s required, so this should be reviewed as well to ensure there is no duplication of efforts.

More about the role of the DPO

What else do you need to know about the role of the DPO? Let’s look at how they interact with others and what skills are necessary.

DPOs and Chief marketing officers work together to ensure compliance

Marketing plays a big role in the compliance of GDPR, as they are the responsible for the lists to which they send communications. When an EU resident wants to be removed from a list, this is called the “Right to Erasure.” This means that every record containing their information must be deleted from marketing lists. Thus, the DPO needs to work with the CMO and his or her team to ensure that this occurs in a timely and accurate manner. This plan should be documented as well so that there is no interpretation of what to do with a “Right to Erasure” request.

Additionally, marketers need to make their blog GDPR-friendly with the correct notices about cookies as well as the privacy policy. This is simple to do, and there are even plug-ins that can automate it.

Necessary skills of the DPO

A DPO must have certain technical skills that may not be required of a compliance officer. The two major skillsets required relate to legal and technical expertise:

  • Legal knowledge: Knows regulations backwards and forwards, understands every detail, well-versed in legal language. Many have a legal education
  • Technical background: Practical knowledge of the IT infrastructure that processes the data to be protected, so technology acumen must be high in order to carry out necessary assessments

Other skills important to for a DPO to have include excellent communication skills, ability to remain independent and having no conflicts of interest. While GDPR does not specifically define the skills needed, this is a position that requires education, experience and expertise. A compliance generalist would not have the abilities that are necessary to remain in adherence to GDPR.

Certifications for DPOs and compliance officers

For DPOs, it’s recommended that the individual attend a Certified Information Privacy Professional/Europe (CIPP/E) class. Such a class is designed for DPOs and other privacy and data professionals. It provides comprehensive knowledge and understanding of the GDPR, European legislative framework and other important topics, such as the EU-U.S. Privacy Shield.

There are several different certifications a compliance officer should consider. Some of those are industry-specific, like HIPAA compliance certifications for healthcare employees. Compliance officers may also find value in the Certified Information Privacy Professional/United States (CIPP/US) certification, which goes in depth on U.S. privacy laws and regulations. The course also includes information about laws governing access to private information by law enforcement or national security agencies.

Hiring a DPO

Along with certifications, there are some best practices to use when hiring a DPO. GDPR doesn’t define exactly what attributes a DPO should have; however, there are some essential questions to ask. When putting together your questions for interviewing candidates, consider adding these.

  1. What challenges have you faced during your cybersecurity career?
  2. What is your level of experience with EU data protection law?
  3. Describe your audit and assessment capabilities
  4. Have you been involved in any cybersecurity investigations? If so, what were they?
  5. Do you have any EU data protection certifications?
  6. Have you performed a privacy impact analysis?
  7. What is your experience in defining data privacy and protection policies? How would you educate and inform the company of these?

Beyond GDPR, a DPO can offer competitive advantage

While GDPR mandates the DPO position, don’t simply think of the role in this manner — as a consequence of doing business. With the right DPO, compliance will be of the highest quality and you can rest assured your company is clear from any legal trouble related to noncompliance. Having a DPO is just good business in the ecosystem of a data-driven world. This role is essentially a safety net for the care and safety of customer data. Thinking of the role this way leads to insights that could offer your company a competitive advantage.

If you are currently looking for a DPO, be sure to use these best practices to find the right fit. If you currently have a DPO, ensure they have the most up-to-date knowledge and certifications with programs from InfoSec Institute, which for over 20 years has been offering information security education.

Sources

Beth Osborne
Beth Osborne