• Alon Alkalay

What Is The Difference Between An Information Officer And A Data Protection Officer?

Information Officers are required under South Africa’s Protection of Personal Information Act of 2013 (“POPIA”) and Promotion of Access to Information Act of 2000, whilst Data Protection Officers are required under the European Union’s General Data Protection Regulations (“GDPR”).

Are Information Officers and Data Protection Officers the same thing?

No, they are not but they serve very similar functions - helping the organisation process data lawfully. They are differentiated by the laws they aim to help a company comply with – to summarise, the differences may be summarised as follows:

Information Officers:

Under the POPIA (s55) and PAIA s1 & s17 (Deputies), Information Officers:

  • are automatic & compulsory – the CEO is the Information Officer, by default;

  • cannot be outsourced;

  • must be registered with the Information Regulator;

  • are mandated to utilise Deputy-Information Officers where necessary; and

  • are not required to have specific expertise in Data-Privacy Law under the POPIA.

Duties of Information Officers under the POPIA include:

  • encouragement of compliance with POPIA and its conditions for lawful processing;

  • dealing with requests made pursuant to POPIA; and

  • working with the Regulator in relation to investigations.

Data Protection Officers:

Under GDPR Articles 37-39, Data Protection Officers:

  • are not automatically required;

  • do not need to be an employee or part of organisation – they can be out-sourced;

  • do not need to be registered with the European Data Protection Authority;

  • are not mandated to utilise Deputy Data Protection Officers; and

  • require specific expertise in Data Privacy Laws (European).

Duties of the Data Protection Officer include:

  • monitoring compliance with GDPR, with other European Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data,

  • assignment of responsibilities;

  • awareness-raising and training of staff involved in processing operations; and

  • related audits.

Under the GDPR, if a Controllers/Processors core processing activities involve the processing of sensitive data on a large scale, or involve large scale, regular and systematic monitoring of individuals, a Data Protection Officer will be required.

Can they be the same person?

From a GDPR perspective, the short answer is yes. Article 38(6) of the GDPR states that:

The Data Protection Officer may fulfil other tasks and duties [and that] the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. From a POPIA perspective, there is nothing in the POPIA indicating that an Information officer cannot undertake other duties.

Disclaimer: the information contained in this Insight is for awareness and discussion purposes only and does not constitute legal advice. For any enquiries, please get in touch at

#DigitalPrivacyLaw #SouthAfrica #EuropeanUnion