There is a high degree of overlap between global data protection regulations, but some subtle differences could potentially lead to misinterpretation. This is especially so in the comparison of roles of the Information Officer (IO) in South Africa’s Protection of Personal Information Act (POPIA) and that of the data protection officer (DPO) in Europe’s General Data Protection Regulation (GDPR).
Naming of roles
GDPR defines the organisation that collects and uses personal data as the Controller. POPIA calls it the Responsible Party. GDPR defines the organisation to whom the Controller outsources the processing of its personal data, the Processor. POPIA calls it the Operator.
GDPR expects the Controller to register with the regulatory body (Supervisory Authority) while POPIA provides that the Information Officer (IO) and Deputies (DIO) of a Responsible Party register with the Information Regulator.
GDPR mandates the Controller or Processor, in some instances, to appoint a Data Protection Officer (DPO). POPIA has no such role defined so it is curious that some are likening the role of the Information Officer with that of the DPO – in particular, suggesting that the IO and DIO roles may be external to the organisation.
Duties and responsibilities
The POPIA Information Officer
The POPIA Information Officer has to be a person within the organisation.
The Information Officer, supported by Deputies, acts on behalf of the Responsible Party, and is expected to:
Encourage the organisation to comply with the lawful processing of personal information
Deal with data subject access requests
Work with the Regulator in relation to investigations
Ensure compliance with POPIA’s conditions for processing
Ensure that a compliance framework is developed, implemented, monitored, and maintained
A personal information impact assessment is done
A manual is developed as prescribed in PAIA (The Promotion of Access to Information Act)
Internal training & awareness sessions are conducted
Designate Deputy Information Officers as appropriate
(Source: POPIA, S.55(1); Regulation 4.)
The GDPR Data Protection Officer
The DPO can be an external person appointed for the role.
GDPR’s Data Protection Officer is appointed by the Controller or Processor and is expected to, at least:
Inform and advise the controller or the processor and the employees who carry out processing of their obligations
Monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
Provide advice, where requested as regards the Data Protection Impact Assessment and monitor its performance
Cooperate with the supervisory authority
Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter
(Source: GDPR Section 4 – Articles 37, 38, 39)
Who should be registered, appointed?
Registration of the IO and DIO is mandatory. In the case of a sole trader, the owner of that business. In the case of a partnership, any one of the partners. In the case of a company (juristic person) – the CEO, Managing Director or equivalent Officer, or any person duly authorised by that officer. (This means that the Chief Executive Officer or the Managing Director or equivalent officer of the juristic person may authorise any natural person within the Body, to act as an Information Officer).
Any person authorised as an Information Officer should be at an executive level or equivalent position. This means that only an employee of a private body at a level of management and above should be considered for authorisation as an Information Officer of that body. Only employee(s) of a body can be designated as a Deputy Information Officer.
Despite the delegation of a Deputy Information Officer, an Information Officer retains the accountability and responsibility for the functions delegated to the Deputy Information Officer.
(Source: The Information Regulator’s Guide to Information and Deputy Information Officers)
GDPR EU / UK
The designation of a DPO is mandatory where:
– The processing is carried out by a public authority or body, except for courts acting in their judicial capacity
– The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
– The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
The data protection officer shall be designated based on professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to above. The data protection officer may be a staff member of the controller or processor or fulfil the tasks based on a service contract – i.e., may be external to the organisation. Even though an organisation may not specifically be required to appoint a DPO, it may appoint one voluntarily.
The controller or processor remains responsible for compliance with data protection law. If the controller or processor makes decisions that are incompatible with the GDPR and the DPO’s advice, the DPO should be given the possibility to make his or her dissenting opinion clear to those making the decisions. Article 38(3) also requires that DPOs should ‘not be dismissed or penalised by the controller or the processor for performing [their] tasks’.
It is evident that one cannot draw comparisons between POPIA’s Information Officer and GDPR’s Data Protection Officer. The roles and their responsibilities are quite different, and the IO cannot be externalised. Registration of the IO is mandatory while the designation of the DPO is mandatory only in some cases (In Germany all organisations must appoint a DPO).
I have a broad-based managerial background in the petroleum industry, where I gained cross-cultural, local and international experience. I have held senior positions in IT governance, risk and compliance; business continuity; crisis management and data privacy management.