Growing Ranks of Data Protection Officers Can Play Important Role for Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin

April 30 — The number of companies with data protection officers (DPOs), both in the U.S. and abroad, is growing due not only to statutory mandates but in recognition of the important role they can play in dealing with complex privacy issues, panelists said April 30.

DPOs working in tandem with chief privacy officers and chief information security officers will help provide more effective legal compliance and consumer privacy protections, particularly for large companies, panelists said at a session of the American Bar Association Section of International Law 2015 Spring Meeting.

Foreign DPO Requirements 

Although DPOs aren't mandated by U.S. law, some countries do require them.

Germany has long required DPOs, Markus Baur, partner at the Ritterhaus law firm in Frankfurt, said. Given the increasing complexity of the privacy legal landscape, the role of the DPOs is more important, he said.

Jai Wook Lee, senior foreign counsel for the Seoul law firm Yulchon LLC, said that recent amendments to the country's data protection law made in response to massive credit card company data breaches require certain companies to appoint DPOs.

Demetrios Eleftherious, senior counsel of privacy and data security for data security and storage company EMC2 in Hopkinton, Mass., said the European Union's proposed data protection regulation would make DPOs a requirement for many companies operating in the bloc.

A provision of the proposed regulation would require companies that handle the personal information of 5,000 or more data subjects within a 12-month period to appoint a DPO, he said.

In-House vs. Outside Counsel 

Having in-house privacy coverage rather than relying on outside privacy counsel is on the rise, Department of Homeland Security Chief Privacy Officer Karen Neuman said.

Fran Wiet, chief privacy officer for Takeda Pharmaceuticals U.S.A. in Deerfield, Ill., said that there may be an advantage to having someone covering privacy issues that is truly vested in the company because he or she is in-house. Of course the option makes more sense for larger companies that may be better able to afford it, she said.

Baur said that even though DPOs are required for many companies in Germany, a large number of those companies outsource the DPO function.

Eleftherious said companies may want to consider a hybrid scenario that keeps certain privacy functions in-house but sends others outside the company to professionals with particular expertise.

Sometimes contracts between companies and vendors may require that the other party have a privacy officer on board, he said.


Neuman said that even where a company elects to have in-house counsel, increasingly the person may be a privacy professional but not a lawyer.

The rise of certification programs in the U.S., such as those offered by the International Association of Privacy Professionals, has raised the confidence level in a new class of privacy and data security professionals, the panelists said.

Lee said that the privacy professional certification process in South Korea is still in the nascent stage in the wake of the legal amendments requiring DPOs.

Some of the motivation in moving away from lawyers to handle privacy matters may be in saving money, the panelists said, but there are important roles to play on privacy teams that have more to do with skill sets than legal training.

Certainly DPOs need to understand the legal parameters of privacy and data security, but the ability to build relationships and communicate both inside and outside the company are equally important, Wiet said.

To contact the reporter on this story: Donald G. Aplin in Washington at

To contact the editor responsible for this story: Katie W. Johnson at