Who Should Be the Data Protection Officer?

Legal, ICT, or Records Management?

By RIMEA Corporate Training Division
Tuesday, June 10, 2025

As privacy regulations tighten across the globe, organizations are increasingly being urged—or legally compelled—to appoint a Data Protection Officer (DPO). But for many businesses, a key question remains: Who within the organization is best suited to take on this role? Should it be someone from Legal, ICT, or Records Management?

With regulatory frameworks like the EU’s GDPR and Kenya’s Data Protection Act 2019 gaining traction, appointing a DPO is no longer just best practice—it’s fast becoming a strategic and legal necessity. This article explores the law, the responsibilities of a DPO, and offers insight into which department is best placed to lead an organization’s data protection efforts.

A Role on the Rise

If your organization handles personal data—whether in customer service, marketing, healthcare, or HR—you may fall under legal obligations to appoint a DPO. While the Data Protection Act 2019 (Kenya) only mandates the designation of a DPO in certain cases, experts argue it is worth considering for all organizations that process personal data.

“The DPO isn’t just a legal figure,” says a data governance expert. “They are the linchpin of trust between your organization and the people whose data you hold.”

Who Is a Data Protection Officer?

Section 24 of Kenya’s Data Protection Act establishes the DPO as a new professional function within organizations. The primary role of the DPO is to spearhead privacy compliance programs, develop internal data protection policies, and serve as a point of contact between the organization and the Data Commissioner.

The law applies broadly. Under Section 24, companies—both public and private—must appoint a DPO if:

• Their core activities involve systematic monitoring of individuals;
• They process sensitive categories of personal data (e.g., health, biometric, or financial data).

However, the terms “systematic monitoring” and “core activities” are not yet clearly defined in local law, creating uncertainty for businesses. Until further clarification is issued by regulators or the courts, organizations are advised to adopt a risk-based approach and consider appointing a DPO where privacy issues are prominent.

What Does the DPO Do?

Far from being a ceremonial role, the DPO is tasked with a broad set of responsibilities:

• Advising the organization on legal obligations under the Data Protection Act;
• Training employees on data handling practices;
• Overseeing internal audits and compliance checks;
• Conducting Data Protection Impact Assessments (DPIAs);
• Serving as the main liaison with the Data Commissioner;
• Maintaining records of data processing activities.

“In practice, the DPO acts as both an internal watchdog and a compliance strategist,” says a Nairobi-based legal advisor.

Who Should Take the Lead—Legal, ICT, or Records?

Once the decision is made to appoint a DPO, the next challenge is figuring out who should take on the role.

Let’s examine the three most likely candidates:

Legal Department: Compliance Commanders

The legal team is often the default choice for DPO appointments. Lawyers understand regulatory language, are skilled at interpreting risk, and can interface effectively with government authorities.

• Pros: Strong on compliance, risk, and legal frameworks.
• Cons: May lack technical knowledge of how data is actually processed.

Verdict: The best overall fit, particularly in regulated industries like banking, insurance, or healthcare.

Records Management: Governance Experts

Records managers are champions of order, lifecycle control, and retention policy. In data-heavy organizations such as government agencies or universities, they understand how information is stored and accessed.

• Pros: Experienced in classification, access control, and archival procedures.
• Cons: May not fully grasp legal or technical privacy requirements.

 Verdict: A good secondary choice with strong policy support—but would require legal and ICT input to meet full DPO duties.

ICT Department: Tech-Savvy, But Conflicted

ICT knows where the data lives. They build and maintain the systems that store, secure, and transmit information. However, this close proximity to data systems presents a potential conflict of interest.

• Pros: Deep knowledge of infrastructure, security, and systems.
• Cons: Cannot objectively monitor systems they are responsible for.

Verdict: Essential as support, but not suitable as a standalone DPO.

The Smart Setup: Cross-Functional, Legal-Led

While Legal may be the natural home for the DPO, experts stress the importance of a cross-functional support structure. Successful privacy programs require input from:

• Legal (to interpret laws),
• ICT (to enforce controls),
• Records Management (to govern lifecycle and classification).

“The DPO doesn’t work in a vacuum,” says a data privacy consultant. “It’s a leadership role that relies on collaboration across departments.”

Bottom Line: A Strategic Appointment

Appointing a Data Protection Officer is about more than regulatory compliance. It’s a statement of organizational integrity and a strategic move toward digital trust.

Whether you’re a startup or a state agency, getting this appointment right can reduce risk, improve transparency, and demonstrate a genuine commitment to protecting the data rights of your clients, customers, and employees.

Need to Appoint a DPO?
Start with your Legal team—but don’t let them work alone. Build a privacy program that is collaborative, informed, and empowered.

This article is part of our ongoing coverage on digital policy, data rights, and regulatory compliance. For more in-depth reports, visit our Corporate Training Division