What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Mexico’s data protection law requires that businesses designate either an individual who is responsible for personal data protection or a personal data protection department. This individual or team would be responsible for managing personal data requests from data subjects. They would also be responsible for implementing the ordinance and promoting the protection of personal data within the company (Federal Law on the Protection of Personal Data Held by Private Parties).
The DPO or data protection team should be knowledgeable about data protection and, should ideally speak Spanish to facilitate communication with data owners. Responsibilities include:
- processing employee (and other data owner) requests to exercise rights; and,
- promoting the protection of personal data in the company.
The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) has a number of recommendations, including the following responsibilities for the DPO or data protection team:
- establish and manage a system to receive, process, follow up, and address (in a timely manner), requests from individuals to exercise their rights as data owners;
- keep track of changes in personal data protection related legislation;
- design and implement a policy and/or practices regarding the protection of personal data;
- align the policy and/or practices with internal company processes;
- develop a mechanism to evaluate the efficiency of the policy and/or practices;
- monitor and evaluate any internal processes related to data processing;
- coordinate measures with other internal departments to ensure compliance with the policy and/or practices;
- communicate the policy and/or practices within the company;
- foster a culture of personal data protection;
- monitor compliance with the policy and/or practices;
- identify and implement best practices to protect personal data; and,
- act as the liaison within the company for personal data protection related matters.