The DPO and PO: their differences

You’re probably getting used to us elaborating important abbreviations out of the industry by now. No worries, we got more in store for you today. We are going to tell you about the DPO and the PO – and their differences – within organisations. So, let’s go and dive into the (D)PO.

Since the GDPR came into effect in 2018, organisations had to implement a lot of measures and changes in the technical, operational and management department. Public organisations and large-scale companies were required to designate a Data Protection Officer (DPO). Other companies, that – due to not being public organisations and/or the request not being relevant to their scope and size – supported their data privacy efforts with the help of a Privacy Officer (PO). While the DPO and the PO have overlapping responsibilities, they are different roles, with different focuses. We will explain.

The GDPR request

Like we mentioned above, appointing a DPO is mandatory for the folllowing organisations:

  • Organisations that are a public authority or public body;
  • Organisations with core activities that involve large scale processing of special categories of personal data and data relating to criminal convictions;
  • Organisations with core activities that involve regular and systematic monitoring of data subjects on a large scale.

For the Data Protection Officer of these three types of organisation, the GDPR request looks like this:

  • To inform and advise the controller or the processor and the employees. They are responsible for carrying out processing of their obligations pursuant to the Regulation and to other Union or Member State data protection provisions;
  • To monitor compliance with the GDPR and other data protection laws and the data protection policies of the organisation. Which includes assigning responsibilities, raising awareness and training the staff involved in processing operations and the related audits;
  • To provide advice, where requested, about the data protection impact assessment and monitor its performance.
  • To cooporate with the supervisory authority and act as the contact point for them on issues relating to processing.

The appointment of a PO is never a legal requirement. First difference: check.

Internal or external?

The GDPR allows organisations to choose whether to appoint an internal or external Data Protection Officer. The Privacy Officer can be appointed internal, to a permanent member of staff, or external acting under a service contract.

Key responsibilities of the DPO of PO

The DPO is responsible for overseeing the data protection strategy and implementation of an organisation. The PO builds a strategic and comprehensive privacy program. The DPO is the main connection with regulators and supervisory authorities, while the PO establishes governance for the privacy program together with an organisations’ management.

Other responsibilities of a DPO are training employees on GDPR compliance requirements, conducting regular assessments audits to ensure GDPR compliance and acting as the promotor for interests of consumers, customers, employees and other data subjects. The PO is busy conducting compliance monotoring activities as part of the compliance team and designing and delivering initial and ongoing privacy training for the entire organisation.

To conclude, it is strongly recommended for every organisation to appoint a privacy contact person, in order to guarantee that the protection of personal data and the privacy of all stakeholders are well secured. This can be DPO, but also a PO, a combination of the two or another designation.

Take care of your security and privacy, folks.

You can thank us later.

Table of Contents

Compliance Platform for Tech Companies


All-in-One DIY Compliance Platform to help tech businesses towards their ISO 27001, ISO 9001, or SOC-2 certification and stronger performance on privacy and security. Ready?