They are frequently used abbreviations: the DPO, the (C)ISO, the PO and the CAICO. Although they are all privacy and security professionals, they are distinct roles with different tasks and responsibilities. Who does what? And how do these roles relate to one another? In this blog, you’ll learn more about the different roles.
DPO
The Data Protection Officer (DPO) is the person within an organisation who oversees the application of and compliance with the General Data Protection Regulation (GDPR). The DPO has a broad, legally defined, set of responsibilities, including creating privacy awareness within the organisation and advising on GDPR obligations. In addition, the DPO acts as the primary point of contact for the supervisory authority.
A DPO has knowledge of privacy laws and regulations, as well as sufficient insight into and understanding of security and the organisation’s internal processes. A key characteristic of the DPO role is that it must remain independent within the organisation. In the past, the Dutch supervisory authority has investigated the independence of DPOs and found that in many organisations this independence was insufficient. Organisations must therefore ensure that the DPO’s independence is properly safeguarded. For example, a DPO should not perform operational tasks that they are later required to supervise. It is also legally stipulated that the DPO must have direct access to senior management. This has received international attention as well; for instance, the Norwegian supervisory authority recently fined a telecom company because the DPO did not have a direct reporting line to the board.
In some cases, organisations are legally required to appoint a DPO. This applies, for example, to public organisations and government bodies, organisations that engage in profiling, track their employees, or otherwise monitor individuals or their activities on a large scale as part of their core activities. Organisations whose core activities involve large-scale processing of special categories of personal data, such as health or religious data, are also required to appoint a DPO. This obligation likewise applies to organisations that process criminal offence data. Incidentally, if an organisation is not required to appoint a DPO but someone does perform DPO duties, all GDPR requirements applicable to the DPO role must still be met.
Does your organisation only need a DPO for a few hours per month? We offer remote DPO services.
Privacy Officer
The Privacy Officer (PO )is a legal privacy advisor who is not a DPO. The PO is sometimes also referred to as a privacy consultant or privacy advisor. The PO has no statutory duties and is directly involved in implementing GDPR obligations. Among other things, the PO is responsible for developing and implementing the organisation’s privacy policy and provides support to the DPO. The PO plays a major role within the organisation by acting as the (first) point of contact for privacy-related questions. Examples include drafting or negotiating data processing agreements and carrying out Data Protection Impact Assessments (DPIAs).
Chief Information Security Officer
The Chief Information Security Officer (CISO) is the organisation’s advisor on information security and defines the information security strategy. The person fulfilling this role has knowledge and experience in information security, risk analysis and specialised security techniques, as well as knowledge of relevant laws and regulations. The CISO interacts both with senior management and extensively with the internal organisation. Under the Dutch Government Information Security Baseline (BIO), government organisations are required to appoint a CISO. For other organisations, this is not mandatory, but appointing a CISO can still be advisable in order to identify and mitigate information security risks.
Information Security Officer
The Information Security Officer (ISO) is responsible for implementing the information security policy and translating the strategy defined by the CISO into tactical and operational actions. The ISO supports the CISO and advises the organisation on information security risks and the measures needed to address them.
Certified AI Compliance Officer
The Certified AI Compliance Officer (CAICO) advises on legal and ethical issues relating to the responsible use of AI within an organisation. The CAICO helps organisations comply with the requirements of the AI Act and contributes to the development and implementation of governance strategies. The CAICO works together with, among others, privacy and security professionals to ensure that the organisation complies with the AI Act.
Would you like to deepen your knowledge of one of the roles discussed in this blog? Explore our education and training offerings.
