Get to Know the DPO: Under GDPR, You May Need One - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Blogs
Commentary
8/3/2017
07:00 AM
Thomas Fischer, Global Security Advocate, Digital Guardian
Thomas Fischer, Global Security Advocate, Digital Guardian
Commentary
50%
50%

Get to Know the DPO: Under GDPR, You May Need One

Getting ready for GDPR now will allow ample time for testing and assessing the new protocols, hiring the right data protection officer and ensuring they are operating effectively.

When the EU General Data Protection Regulation (GDPR) takes effect globally on May 25, 2018, more than 9,000 U.S. firms will be required to hire a Data Protection Officer, or DPO, to ensure its strict data protection regulations are met.

The DPO will be responsible for educating the company and its employees on the important requirements of GDPR, training staff involved in data processing, and conducting regular security audits. DPOs will also serve as the point of contact between the company and any supervisory authorities that oversee activities related to data collection or processing.

Considering that this a brand new role for organizations, executive teams and board members will have to ask themselves a few very important questions.

Will my organization need to hire a DPO?

All public organizations (government agencies or other entities) will be required to appoint a DPO under GDPR, as will any organization processing data requiring systematic monitoring of subjects on a large scale – or processing special categories of sensitive personal data such as health, religion, race, sexual orientation, and personal data relating to criminal convictions and offenses. Generally, a DPO will be required if the company processes and manipulates personal data – e.g. banks, healthcare, credit companies – but not if it only has HR data.

Does the DPO need to be a member of my organization?

Bringing on a DPO may be a sound decision whether your organization is required to have one or not. They don’t need to be members of the organization, but the expertise of any external DPO must align with a business’ data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.

What skills are needed for the role?

Finding someone with the right blend of experience will be challenging. The role will require a rare combination of skills including an understanding IT, operations, data security, data protection laws and practices, and the ability to promote a data protection culture within the organization. Think of the DPO as a free safety in football – someone who can combine expertise from the Chief Compliance Officer along with certain skills of a CISO or CTO. Finding the right fit may take time, so organizations should consider a candidate who comes close to fitting the bill, then helping them close the gaps with the proper certifications and training in advance of the GDPR enforcement date.

How do I find the right DPO?

Organizations should start evaluating potential DPO candidates now to determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team. First look for candidates already working within the organization, as they will have the best understanding of the business. Your DPO will want to conduct a visibility assessment to best understand risk exposure and prioritize compliance efforts. He or she will need to understand the company’s existing data sources and examine what types of personal data – particularly GDPR-regulated data – is being collected, handled and stored.

What else do I need to know?

Whatever technologies are implemented to support this effort, it will be imperative to first understand how they enable personal data to be processed. Then controls must be placed around that data – e.g. implicit consent (opt-in), the right to be forgotten, transparency, pseudonymisation and data portability – as end users have the right to receive documentation of how their personal data is being used and stored. Additionally, use of the data can be audited and shouldn’t be different than what the user opted in for. If usage changes, a company must notify the user and allow them to opt-out.

GDPR was crafted to be intentionally nebulous in how it prescribes solutions or technologies to achieve the necessary data controls and protection. The legislation was designed to be flexible in how it requires organizations and their DPOs to comply with its technology mandates. They kept things a bit open ended to best accommodate new and emerging technologies, like cloud-based systems, IoT and machine learning, which didn’t exist when previous data protection regulations were established. Unfortunately, this leaves many companies lacking guidance as to what technologies can help them get in step with GDPR’s requirements.

While May 25, 2018 might feel far off, getting ready for GDPR now will allow ample time for testing and assessing the new protocols, hiring the right DPO and ensuring they are operating effectively. Aligning your business to GDPR may seem like a daunting task, but hiring the right DPO can help the organization prevent potential financial and regulatory consequences down the line.

Thomas Fischer
Thomas Fischer

Thomas Fischer is a global security advocate at Digital Guardian, where he plays a lead role in advising customers, investigating malicious activity and analyzing threats. With more than 25 years of experience, Thomas has a unique view on security in the enterprise with experience in multiple domains from risk management and secure development to incident response and forensics. During his career, Thomas has held varying roles from incident responder to security architect for fortune 500 companies, as well as industry vendors and consulting organizations.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
News
Data Science Salary Survey Reveals Market Shift
Jessica Davis, Senior Editor, Enterprise Apps,  6/27/2019
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll