June 27, 2024

Last Updated on June 27, 2024

Does your company need a Data Protection Officer (DPO) and/or a Chief Privacy Officer? What about a Privacy Steward or other emerging privacy roles?

Privacy roles and responsibilities vary across organizations. But they all focus on safeguarding sensitive personal data and ensuring compliance with privacy regulations.

This post describes some of the most common privacy roles and how they relate, to help you establish the right privacy and data protection team for your business.

 

Why are privacy roles now so important?

Once considered a niche specialization within the largest enterprises, privacy roles are rapidly gaining prominence in organizations of all types and sizes. Thousands of new jobs are being filled annually, with businesses on average investing over $1.8 million to build out their privacy programs.

Privacy has gone mainstream, and privacy roles are increasingly impacting both operations and strategic decision-making. The more data-driven an organization, the more critical its need for privacy professionals to support data governance and regulatory compliance within and across departments.

These evolving efforts include:

  • Defining, developing, and measuring the effectiveness of controls and procedures to safeguard privacy rights
  • Identifying ways to reduce privacy compliance risk
  • Helping to create a company-wide “privacy culture”

The sections that follow describe key privacy roles and responsibilities.

 

Chief Privacy Officer

Chief Privacy Officer (CPO) is usually an executive/advisory role that focuses on managing privacy compliance risk, driving everyday privacy operations, and functioning as the organization’s privacy leader.

A CPO’s responsibilities often include:

  • Overseeing development and implementation of the organization’s privacy policies, procedures, and controls.
  • Overseeing privacy risk management and ensuring alignment with business goals and objectives.
  • Advising senior management and the board on privacy-related matters and emerging privacy risks.
  • Developing and leading privacy training and awareness programs for employees.
  • Serving as the primary point of contact for privacy-related inquiries from, customers, regulators, and other stakeholders.
  • Monitoring changes in privacy laws and regulations and updating policies and practices accordingly.

Alternative titles for the CPO role include Corporate Privacy Officer, Data Protection Manager, or (especially if a legal background is essential) Privacy Counsel.

 

Data Protection Officer

Under GDPR Articles 37, 38, and 39, the Data Protection Officer (DPO) has a specific, important, and protected role that is mandated for some organizations. It is a best practice to avoid using this title outside its GDPR compliance-related context.

A DPO above all must be independent of corporate influence and able to represent privacy issues and risks at C-suite and board levels. The DPO is responsible for upholding the rights and freedoms of data subjects, not supporting the organization’s goals and objectives.

A DPO’s responsibilities often include:

  • Ensuring compliance with data protection laws and regulations, such as the GDPR.
  • Serving as the primary liaison between the organization, data subjects, and regulatory authorities.
  • Conducting data protection impact assessments (DPIAs) to identify and mitigate privacy risks associated with data processing activities.
  • Providing advice and guidance on data protection matters to employees and management.
  • Supporting the organizational response to data breaches, including notifying regulatory authorities and impacted individuals.
  • Maintaining records of data processing activities (ROPAs)
  • Working with third parties during audits and investigations.

The GDPR mandates that “the data protection officer shall have at least the following tasks” similar to those just listed.

 

Privacy Compliance Manager

A Privacy Compliance Manager, also called a Privacy Program Manager, Privacy Manager, or Privacy Officer, takes the role of privacy program lead. They may manage a privacy program team, oversee privacy compliance activities, and support data governance and incident response activities.

Typical responsibilities for a Privacy Compliance Manager include:

  • Implementing and maintaining a privacy compliance program aligned with regulatory requirements and organizational policies.
  • Conducting periodic privacy assessments and audits to evaluate compliance with internal policies and external regulations.
  • Coordinating with internal stakeholders, such as legal, IT, and HR departments, to ensure that privacy practices are aligned across the organization.
  • Helping to draft privacy notices, consent forms, and data processing agreements.
  • Responding to privacy-related inquiries from customers, employees, and regulatory authorities.
  • Processing data subject access requests

In comparison to a CPO or DPO, a Privacy Compliance Manager role is usually more operational than strategic or advisory. They are hands-on with handling data protection issues, privacy workflows, and data processing activities.

The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered organizations designate a HIPAA Privacy Officer—a role similar to the Privacy Compliance Manager. Under HIPAA, the Privacy Officer monitors privacy program compliance with HIPAA, investigates potential data breaches involving protected health information (PHI), handle breach reporting, and assures patient privacy rights.

 

Privacy Counsel

A Privacy Counsel or legal advisor is a legal professional who provides guidance on privacy matters, including data protection laws, regulations, and contractual obligations. As an attorney with a strong privacy background, they are qualified to review and negotiate privacy-related contract language, such as vendor agreements and data processing agreements. They can also assist in responding to data subject requests, regulatory inquiries, and data breach responses.

A Privacy Counsel is also expected to stay informed and advise the organization about legal developments and precedents in privacy law.

While you will probably need an attorney’s expertise periodically for privacy advice and legal interpretation, many organizations do not need the person overseeing their privacy program to be a legal professional. Therefore, a Privacy Counsel is often a trusted third party who can offer a sound legal opinion.

 

Privacy Awareness and Training Specialist

A Privacy Awareness and Training Specialist is responsible for an organization’s ongoing privacy education program. Their responsibilities may include:

  • Developing and delivering privacy training programs for employees at all levels of the organization.
  • Monitoring and evaluating the effectiveness of privacy training initiatives and adjusting content as needed to address emerging data protection threats and regulatory changes.
  • Creating educational materials and resources to increase awareness of privacy risks and best practices.
  • Coordinating with internal departments to ensure that privacy training is integrated into onboarding and ongoing professional development programs.

 

Leveraging a virtual privacy specialist

For organizations that cannot afford or do not need full-time privacy staff, a wide range of virtual staffing options are available.

A virtual DPO may be especially attractive for businesses that require that role for GDPR compliance but do not need the expertise full-time.

 

What’s next?

Businesses today need to get privacy right at strategic and operational levels to maintain credibility and stay competitive. Protecting personal data is not just a legal requirement, but the foundation of customer relationships.

CBIZ Pivot Point Security is a trusted partner to help you build and maintain a compliant privacy program. Contact us to start a conversation with a privacy expert about your business goals.