Difference between the figure of the DPO and the Compliance Officer
First, it is important to differentiate between the roles of the controller and processor and the Data Protection Officer (DPO), as defined in the applicable data protection regulations, namely the General Data Protection Regulation (GDPR) and the Spanish Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).
Difference between controller, processor, and Data Protection Officer (DPO)
Recital 7 of Article 4 of the GDPR defines the controller as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its designation may be established by Union or Member State law. In other words, it is the person or entity that decides why and how personal data of data subjects are used.
Likewise, paragraph 8 defines the processor as the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. That is, it is the person or entity that follows the instructions of the controller.
The figure of the Data Protection Officer (DPO) constitutes a guarantor of compliance with data protection regulations within public and private entities. This role must possess expert knowledge in privacy and data protection practices, as well as the capacity to perform its duties independently. The LOPDGDD specifies requirements and specific sectors where the designation of a DPO is mandatory. In other words, the DPO is the person responsible for advising and monitoring compliance with personal data protection within an organization.
Finally, the Compliance Officer is responsible for ensuring that organizational and business processes comply with legal requirements, internal policies, or external regulations. In other words, this person ensures that the company complies with all laws and regulations, not only those concerning personal data protection.
Therefore, the main differences lie in the responsibility regarding the processing of personal data. Legally, the controller bears primary responsibility towards data subjects and supervisory authorities for compliance with data protection regulations. In contrast, the processor’s responsibility is limited to strictly following the controller’s instructions and ensuring the security of the data as required. The DPO’s role is limited to supervision and oversight, independent of the management responsibilities within the organization. Finally, the Compliance Officer’s responsibility is broader, as their scope extends beyond that of the DPO.
Functions and Responsibilities of each role
Once these four roles are distinguished, it is crucial to determine their respective functions and responsibilities:
The controller’s functions revolve around ensuring the protection of data subjects’ personal data, that is, implementing measures to safeguard personal data and enabling data subjects to exercise their rights.
The processor also has responsibilities, such as carrying out processing operations using the technical and organizational measures established by the controller. In this way, the processor assists the controller in complying with data protection regulations.
The DPO’s functions are set out in Articles 38 and 39 of the GDPR and Articles 36 and 37 of the LOPDGDD. These provisions establish that the DPO must:
- Supervise: monitor projects within the organization involving personal data processing.
- Advise: provide expert guidance to ensure efficient and diligent compliance.
- Raise awareness: promote data protection awareness and provide training to prevent human error.
- Act as a liaison: serve as the authorized point of contact with the Spanish Data Protection Authority.
The Compliance Officer’s primary function is to implement and supervise a compliance program to prevent legal, financial, and reputational risks, and to promote a culture of integrity and responsibility within the company. This includes detecting potential legal risks and implementing preventive measures.
For example, the Compliance Officer ensures that the company maintains a compliance management system, adheres to national and international legal requirements, and stays up-to-date with regulatory standards.
Specifically, the Compliance Officer:
- Supervises all processes and operational procedures through a compliance management program.
- Manages information flow through investigation, record-keeping, and data analysis.
- Trains employees.
- Acts as a liaison between departments and senior management.
- Conducts periodic evaluations to verify that internal policies comply with applicable law.
Coordinating the DPO and Compliance Officer
Although the areas of focus for the DPO and Compliance Officer differ (data protection for the DPO and general regulatory compliance for the Compliance Officer), their collaboration is essential for a comprehensive compliance approach and to prevent conflicts of responsibility, especially in smaller organizations where one person may perform both roles.
There is no single method for coordinating these two roles. However, common practices include:
- Integration of the DPO into the compliance team: integrating the DPO within the compliance structure facilitates close collaboration and avoids overburdening a single individual in larger organizations.
- Collaboration on policies and procedures: both professionals should work together in drafting policies and procedures. The Compliance Officer establishes general strategies and controls, while the DPO ensures data protection policies align with the overall compliance framework.
- Risk assessment and mitigation: they can jointly assess risks, with the DPO focusing on data protection risks and the Compliance Officer expanding the analysis to legal, ethical, and regulatory risks.
- Communication and training: both should coordinate to communicate the importance of compliance and data protection throughout the organization, ensuring employees understand their responsibilities in these areas.
These practices will vary depending on factors such as company size, availability of resources for each role, and the need to maintain the independence required for each function.
Candela Martín es abogada especialista en derecho digital, propiedad intelectual y protección de datos.
Graduada en Derecho por la Universidad de Granada, completó un doble máster en acceso a la abogacía y derecho digital en la Universidad de Navarra. Su práctica se centra en privacidad, comercio electrónico y contratación, con una visión proactiva y resolutiva en el asesoramiento a empresas del entorno tecnológico.
More from my site
The Data Protection Officer (DPO) Cannot Represent Their Client
Google App fined for not having a DPO. Which companies are required to have a DPO?
Do you work with Big Data? How to conduct an impact assessment
The DORA Regulation: legal implications for ICT risk management in the financial sector
Legal advice for affiliate marketing in Spain
External Data Protection Officer service