Who is responsible for data protection in a company?

Everyone who processes personal data has a crucial role to play in data protection and information governance. If you’re being trusted to access the personal information of individuals such as your customers and staff, it’s essential that you earn that trust by keeping their data safe and secure.

But while this responsibility belongs to anybody who handles personal data, there are also specific roles within organisations that play pivotal roles in keeping the processing of personal data safe and compliant with data protection legislation.

The role of the DPO

If your organisation has a Data Protection Officer (DPO), they will play a key role in your organisation’s data protection compliance.

The DPO plays a major part in an organisation’s data protection strategy and data protection compliance. Their role is to assist the organisation in monitoring their internal compliance, to inform and advise on their data protection obligations, to provide advice regarding DPIAs, and to act as a point of contact for the Information Commissioner’s Office (ICO).

Although DPOs play a key role, there is a misconception that they are fully responsible for an organisation’s data protection compliance. This is untrue; a DPO only serves an advisory role, and is not entirely responsible for an organisation’s compliance. It is ultimately up to the organisation to decide upon their actions and which course is the best to take, but should always carefully consider the DPO’s advice.

Not every organisation is legally obligated to have a DPO, but appointing this role is usually recommended. Click here to find out if your organisation needs a DPO.

We provide training that gives delegates the knowledge and expertise required to perform effectively in data protection roles such as the Data Protection Officer. Visit our training pages to learn more about our Effective DPO and BCS Practitioner in Data Protection courses.

The role of the SIRO


The Senior Information Risk Owner (SIRO) also holds a position that can significantly impact your organisation’s data protection compliance. The role of a SIRO is mandatory for organisations that are in the public sector or those which are contracted to deliver services under the National Health Service (NHS).

The SIRO will act as an advocate for information risk at board level and is responsible for managing information risks.

Some key responsibilities include:

  1. Overseeing the development of an Information Risk Policy and a strategy for implementing the policy within the existing framework. 
  2. Taking ownership of the risk assessment process for information and cyber security risk, including review of an annual information risk.
  3. Review and agree action in respect of identified information risks.
  4. Ensure the organisation’s approach to information risk is effective in terms of resource, commitment, and execution, and that this is communicated to all staff. 
  5. Provide a focal point for the resolution and / or discussion of information risk issues. 
  6. Ensure the board is adequately briefed on information risk issues. 
  7. Ensure that all care systems information assets have an assigned Information Asset Owner.

This role differs from that of the DPO as there is a degree of responsibility here, in that a SIRO is responsible for information risk management.

It should be noted that the SIRO is not responsible for data protection as a whole, but rather, effectively managing information risks, which is a step in the right direction toward data protection compliance. Click to read about our training course on being an effective Senior Information Risk Owner.

The role of the Data Protection Manager

The Data Protection Manager (DPM) is another role that can play a pivotal part in an organisation’s data protection compliance. This one can vary, but largely, the person fulfilling this role will be on hand to assist the DPO and provide independent advice. They can challenge data protection and information governance processes and practices and help employees to understand their own responsibilities. The DPM can be accountable for making sure that DPIAs, SARs, data breaches and procedures are followed within the organisation. We would recommend that the DPM undergoes a foundation or practitioner level certification, ideally with the BCS if the organisation is subject to UK law.

The role of the Data Champions or Privacy Champions

The Privacy Champions are integral to championing data protection within their business area, serving as go-to experts for staff with data protection queries. They play a crucial role in promoting privacy awareness and compliance, guiding the completion of Data Protection Impact Assessments (DPIAs), and ensuring the maintenance and accuracy of the Record of Processing Activities (RoPA). Their expertise is vital in embedding privacy considerations into everyday operations, thus reinforcing the organisation’s commitment to safeguarding personal information. Data Champions are recommended to have a higher level of knowledge than a normal employee. We would recommend our data champion training course.

The organisation’s employees

Anyone in an organisation has a responsibility to uphold data protection compliance. This should be outlined in an organisation’s Data Protection Policy, and in short, all persons who handle personal data in some way have some level of responsibility for making sure that this data is handled safely and correctly.

Staff should receive adequate training for their role and the importance of the UK GDPR, along with having clear policies and procedures in place to follow.

Key takeaways

In short, there is no singular individual or group that takes all responsibility for an organisation’s data protection compliance. For instance, as mentioned before, the Data Protection Officer can advise organisations, but they actually bear no responsibility, and even if a DPO gives an organisation advice, the organisation can choose to not act upon this.

Employees need to bear in mind that everyone has a part to play in data protection, and organisations need to remember that often, data protection and keeping personal data safe starts with those employees handling personal data.

How can DPAS help?


Trying to figure this all out with no knowledge or expertise can be a difficult task, as there’s a vast amount of information to take in. Maybe you are in one of these roles but feel overwhelmed by the responsibilities and need to boost confidence in your job performance. After all, it certainly is a complicated job.

That’s why here at DPAS, we offer training specifically designed to help you in your role. We can also support your organisation by providing data protection training (whether this be for the role of a DPO or for the wider employee population).

We also offer outsourced DPO services and outsourced DPM services to support your organisation in its journey toward data protection compliance. So if your organisation doesn’t have anybody fulfilling either of these roles in-house, but you feel that it would be beneficial, we’ve got you covered.

To find out more, give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or fill in a contact form and we’ll get in touch with you.

related posts

Get a Free Consultation