The DPD who cannot contradict anyone is not a DPD: real versus nominal independence under the LOPDP
Ecuadorian job postings seek a single person to simultaneously act as Data Protection Delegate, Information Security Officer and risk manager — with five years of experience in ISO 27001 and LOPDP. The problem is not the salary. It's that the LOPDP does not require a profile: it requires a function. And that function — exercised with real independence, access to the highest authority and complete technical and legal coverage — cannot be fulfilled by a single person who depends on the same organization they are supposed to supervise.
What the law means by Data Protection Delegate
Ecuador's LOPDP dedicates Arts. 48–50 to the Data Protection Delegate (DPD). The SPDP General Regulation develops the role in Arts. 48–57. Resolution SPDP-SPD-2025-0028-R establishes the specific regulation for the delegate, including designation, requirements and independence guarantees.
Art. 48 Regulation is precise: the DPD is the natural person in charge of advising, overseeing and supervising — independently — compliance with the legal obligations of the controller and processor. The same article adds that they will perform their functions with full independence, and that the controller is obliged to provide assistance, resources and tools to guarantee the exercise of those functions.
Art. 50 num. 5 LOPDP expressly establishes that the DPD will maintain a direct relationship with the highest executive and decision-making level of the controller. Not with their direct supervisor. Not with the legal department. With the highest authority. This is a legal obligation, not a best practice recommendation.
The real dichotomy: nominal DPD vs. functional DPD
The debate in the Ecuadorian market — should the DPD be a lawyer or a systems engineer? — starts from the wrong premise. The LOPDP does not establish a single academic profile. Art. 55 Regulation requires a university degree in Law, Information Systems, Communications or Technologies, and at least five years of professional experience. The law accepts both because it recognizes the role requires both competencies.
The relevant dichotomy is not about profile. It's about function:
- Nominal DPD: occupies the slot in the org chart, signs compliance documents, appears in the SPDP registry — but operates within the hierarchy, receives operational instructions from superiors, and has structural incentives not to contradict the organization that employs them.
- Functional DPD: exercises real independence. Can identify a non-compliance, report it to the highest authority without intermediation, and sustain that position without risk of labor sanction. Has access to all treatments, operations and documentation needed for their function.
Why one person cannot cover Art. 49 LOPDP
The four functions of Art. 49 LOPDP require competencies that in practice belong to different disciplines: legal compliance advisory, technical security evaluation, risk and DPIA management, and autonomous cooperation with the SPDP. No single profile can cover all four with equal depth — and the Ecuadorian market confirms this with job postings that seek one person to do all four simultaneously, at a salary that doesn't reflect the scope of the role.
Does your organization have a functional DPD or just a nominal one?
Wiibiq's free DataGuard diagnosis evaluates whether your DPD function meets the independence, functional coverage and highest-authority access standards that the LOPDP requires.
Request free DataGuard diagnosis →