What Does the DPO Do in Practice?

The DPO is not a symbolic appointment. It is who builds, operates and certifies the compliance system, from the first data inventory to the report that reaches the Agency after a breach. These are its main concrete responsibilities under Law 21.719.

The DPO is not a symbolic role. It is who builds, operates and certifies the compliance system. These are its concrete responsibilities under Law 21.719, from mapping the data to certifying the prevention model.

The officer's main functions

A representative set, not an exhaustive one. Each is a real task, not a line in a job description, and several open into their own guides in the data cluster.

  1. Inventory and classify data

    Build and maintain the record of processing activities (RAT): what data exists, where it is, what it is used for and under which legal basis.

  2. Validate lawful bases

    Ensure each processing has a legal ground: consent, contract, legitimate interest or legal obligation. See consent or legitimate interest.

  3. Impact assessments (DPIA)

    Assess risks before implementing new or high-impact processing of personal data. See impact assessment.

  4. Policies and privacy by design

    Draft internal policies and ensure every new system incorporates data protection from its architecture.

  5. Audit systems and processes

    Verify that what the policies say is actually met in databases, applications and operational flows.

  6. Manage ARCO+ rights

    Receive and resolve access, rectification, erasure, objection and portability requests within the legal deadline. See data subject rights.

  7. Lead breach response

    Coordinate containment with IT, assess the legal impact and notify the Agency without undue delay. See breach notification.

  8. International transfers

    Assess and authorize transfers of data outside the country, ensuring adequate levels of protection. See international transfers.

  9. Training and culture

    Train internal teams in data protection so compliance becomes part of daily operations.

  10. Certify the prevention model

    Register and maintain the infringement-prevention model before the Agency (Article 49), the key mechanism to mitigate the company's liability.

Two of these functions carry a depth of their own, where the legal rule meets the systems: the ARCO+ rights and their deadlines, and the breach response shared with IT.

The weight behind the list

Functions that cut across law and systems are why the profile is so hard to hire, and why so many companies weigh in-house against an external DPO. All of them rest on the officer\'s autonomy and independence.

Which of these is your company missing?

Most organizations do a few of these functions well and leave the rest uncovered. The data-law diagnosis maps your processing against Law 21.719 and shows which of the DPO's functions are running and which are gaps.

Request a data-law diagnosis

Frequently asked questions

Is the DPO a symbolic role or does it do real work?

Real, continuous work. Appointing one is not enough: the DPO builds, operates and certifies the compliance system. Its functions range from building the processing inventory to leading breach response and certifying the prevention model before the Agency.

What is the DPO's first function?

Building and maintaining the record of processing activities (RAT): what data exists, where it is, what it is used for and under which legal basis. Without that map none of the other functions has a foundation, because you cannot protect or evidence what you have not inventoried.

Does the DPO handle data-subject requests?

Yes. It receives and resolves access, rectification, erasure, objection and portability requests within the legal deadlines, coordinating with technical teams so the response is real in the systems and not only formal.

What is the DPO's role in a security breach?

It assesses whether the type of data compromised triggers a duty to notify, prepares the formal report and is the point of contact before the Agency. While the technical team contains the incident, the DPO manages the legal front and the official communication, both in parallel.

Does the DPO certify the prevention model?

Yes. Registering and maintaining the infringement-prevention model before the Agency (Article 49) is one of its key functions, because that model is the mechanism the law recognizes to mitigate the company's liability.

Official sources

Transform Your Legal Challenges into Competitive Advantages

Discover how our innovative approach can drive your business

© 2025 AnguitaOsorio, all rights reserved.
Chile

Contact

Contáctanos

Phone:

+56 2 2760 4512

Location:

Cerro el Plomo 5420, office 1306, Las Condes, Metropolitan Region.