Data Protection Officer Drought Predicted
Google's global privacy counsel doubts there are enough data defenders to help companies comply with EU data rules.
Be careful what you wish for: Five years ago, Google global privacy counsel Peter Fleischer called for privacy standards around the world to be harmonized because the regulations were all over the map.
More Government Insights
- The Untapped Potential of Mobile Apps for Commercial Customers
- Will Your State Deliver a Modernized Medicaid Program by 2014?
- Best Practices Guide for IT Governance & Compliance
- Mobile Data Center Brings the Mobile Cloud to Life: Portable, Mobile Data Centers Aligned with Army Operations
Privacy laws around the world might not ever be in perfect harmony, but lately even the freewheeling U.S. seems to be marching to Europe's insistent drumbeat of data protection. Earlier this year, the European Commission proposed a broad reform of the EU's 1995 data protection regime. A month later, the Obama administration issued its Consumer Privacy Bill of Rights as part of a broader data privacy initiative.
Although the EU's new data protection rules might not complete their journey through the legislative process for a few more years, companies have to start thinking about the impact of the regulations well before then.
Writing on his personal blog on Friday, Fleischer warned that there are not enough experienced data protection officers to meet the impending legal requirements and that more need to be trained.
[ Read EU Data Rules Worse Than SOPA? ]
"Soon, many thousands of companies operating in Europe will be looking to appoint [data protection officers] to meet legal obligations, and since there is no available pool of such people, companies need to start thinking now about how to recruit, train and resource a DPO, and/or an entire DPO team, for the large companies," he wrote.
The EU requirement to employ a DPO applies to companies with more than 250 workers. However, EU data laws should be considered by any company with customers in Europe, such as mobile app makers. The potential fines for violating EU data rules make compliance a necessity: up to 1 million euros or up to 2% of a company's global annual revenue.
Fleischer sees three viable approaches to the new rules, depending on the complexity of companies' data processing requirements.
Companies that have relatively simply data operations can probably just train personnel from human resources or marketing, he suggests.
They might also be able to outsource the DPO role, which he sees as a potential business opportunity for entrepreneurs.
Companies with large, complex data processing and handling operations will have the most adjustment to do. "[T]oday, rather shockingly, some of the world's largest data processing companies, with mega-databases of trillions of pieces of personal data, do not have a single heavy-weight DPO on staff," he wrote.
Fleischer argues that such companies need to give DPOs resources and authority, something that will come from knowledge of privacy laws and willingness to defend privacy interests. Though internal executive support for the DPO's mandate matters, he suggests that DPOs will have some inherent power through legal protections against unfair dismissal.
The effort to achieve and maintain compliance with Sarbanes-Oxley requirements remains one of the primary drivers behind many IT security initiatives. In our Security Via SOX Compliance report, we share 10 best practices to meet SOX security-related requirements and help ensure you'll pass your next compliance audit. (Free registration required.)