You Know You Need a DPO—But What About a Privacy Champion?

Written by Jonathan Kass, Co-Founder & VP of Operations at Pyxos

The Origin of the Data Protection Officer (DPO)

When I was first challenged with implementing privacy regulations, back when the U.S. Health Insurance Portability and Accountability Act (HIPAA) was first released, I thought it would be relatively straightforward. There was a list of rules about how data should be protected and transmitted, and everyone would simply follow them, and it would be okay.

Of course, it's never that simple. Privacy regulations, as detailed as they may be, are not as absolute as they might be. And enforcing compliance with them, even inside a company, is often easier said than done.

With the latest round of global consumer privacy regulations, a new role was created to centralize accountability for a company’s compliance—the Data Protection Officer, or DPO. The DPO’s job is to ensure a company’s compliance with regulations (e.g. GDPR or KSA’s PDPL), and also to be a central point of contact for a company or establishment on all things privacy-related.

Why a DPO Is Not Enough

Once again, it could seem like the question ‘who is responsible for our company’s privacy compliance’ is now simple—it must be the DPO, after all, it's in their title, right?

Not exactly. Much as following the standards is always a bit more complicated than it might appear to be, understanding who is really responsible for a company’s data compliance can be as well. Because while it's important to have a DPO who can provide guidance and create centralized accountability, the cliché is true—privacy really is everyone’s business.

Why Privacy Needs to Be Shared

But how does everyone in a company know it's their business?  Well, the DPO can put out a lot of emails and policies, but if a privacy program is really going to be successful at protecting both the individual’s data and the company’s reputation, then leaders across a company or establishment need to see themselves as part of the privacy team—as Privacy Champions within their own areas of responsibility.

Enter the Privacy Champion

That’s where the Privacy Champion comes in. What we in the business and technology community have learned from decades of regulatory rollouts is that companies and establishments are much more successful at setting and maintaining their regulatory compliance when leaders in each department or function include privacy in their own goals and messaging. In this context, “Privacy Champion” is another role that the individual area leader plays.

What a Privacy Champion Looks Like in Practice

But how can a manager also be a Privacy Champion?  It’s about perspective—when senior leaders embrace privacy as part of the job, everything from how they talk about it to how they plan their objectives and goals changes. Privacy becomes one of the operating principles of the department, not something that is treated as an afterthought or an ‘additional cost’ on top of planned objectives and goals.

And when leaders take privacy seriously and personally, their teams notice—and feel empowered to focus on ensuring they are not only meeting their goals, but also doing that in a way that is consistent with company policies and practices around protecting individual data.

Why a Privacy Champion Matters: Culture, Risk & Reputation

Conversely, when leaders treat privacy as ‘one more thing’ their teams have to do, without fully committing and supporting their teams in the process, well, those teams notice as well. Privacy becomes a checklist item, an afterthought, and can often be overlooked as a result. Not a big deal, of course—until there is a data compromise or a failed audit, at which point it will become a very expensive problem to solve—one that might have been avoided to begin with—and one that has the potential for significant reputational damage for the company when it becomes public.

So back to how to be a Privacy Champion, to make sure your team doesn’t have those kinds of unfortunate outcomes.

4 Steps to Become a Privacy Champion

There are a few basic actions each leader can take to champion privacy:

1. Talk about it: whenever you have the chance, incorporate privacy in the message. For example, if you’re celebrating an update to your online store—“Look at the amazing updates our team has delivered for our sales site!  They’ve done a great job of making it easy for our customers to buy—and for them to go through our consent and preferences, so the customers can control their personal data—nice job!”

2. Build it into your goals and KPIs: like a manufacturing or heavy equipment plant that might track ‘days without an incident’, develop metrics and reporting to both maintain the transparency around your privacy compliance, and also to enable your team to be recognized when they follow—or even improve—the company procedures.

3. Listen and support your team’s privacy concerns: make sure your team knows you genuinely care about any concerns they raise on privacy. Designate resources (e.g. budget) that can be used for privacy improvements or concerns as they arise.

4. And finally, stay up to date on privacy-related news and issues relevant to your business and department. If you’re successful in making privacy part of the fabric of your company or establishment, you’ll likely be well positioned when a competitor makes news for missing the mark on data privacy.

Key Takeaways

• A DPO alone isn’t enough—privacy requires shared ownership.

While a Data Protection Officer (DPO) provides structure and accountability, real success in compliance comes when senior leaders across departments embrace privacy as part of their daily responsibilities.

• Privacy Champions turn compliance into culture.

Leaders who talk about privacy, measure it as part of team success, and support their teams in building it into daily work help create a culture of compliance. In doing so, you build trust, reduce risk, and protect the reputation of your company or establishment—before a crisis forces action.