DPOs and Notification Requirements
Jump to
DPOs and Notification Requirements Start Comparison
Is the concept of data protection officer (DPO) recognized in the jurisdiction?

Last review date: 31 December 2024

Yes.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

Last review date: 31 December 2024

Yes

If yes, under what circumstances?

☒   other

Privacy and security officer requirement under HIPAA. Additionally, under the GLBA's Safeguards Rule passed in 2021 by the FTC, a financial institution must have a "qualified individual" overseeing the implementation of its information security program. In addition, the NYDFS CR requires the designation of a chief information security officer.

Where a DPO is appointed, does the DPO have to meet specific requirements?

Last review date: 31 December 2024

Yes.

If yes, what are these requirements?

☒   other

HIPAA does not set out express requirements, but the HIPAA privacy and security officers must be qualified to administer the respective obligations under the HIPAA Privacy and Security Rules. The GLBA states that qualified individuals overseeing information security programs must have "some level of information security training and knowledge." NYDFS CR specifies that the designated chief information security officer must be qualified and responsible for overseeing and implementing the covered entity's cybersecurity program and enforcing its cybersecurity policy and must report in writing at least annually to the covered entity's board of directors or equivalent governing body.

Are there obligations to notify, submit filings to, register with or obtain approval from local data protection authorities to collect and/or process personal data generally?

Last review date: 31 December 2024

No, but exceptions do apply. For example, Vermont and California require data brokers to register and there are other registration requirements that are emerging.