Get to Know the DPO: Under GDPR, You May Need One

Getting ready for GDPR now will allow ample time for testing and assessing the new protocols, hiring the right data protection officer and ensuring they are operating effectively.

Guest Commentary, Guest Commentary

August 3, 2017

4 Min Read
Thomas Fischer

When the EU General Data Protection Regulation (GDPR) takes effect globally on May 25, 2018, more than 9,000 U.S. firms will be required to hire a Data Protection Officer, or DPO, to ensure its strict data protection regulations are met.

The DPO will be responsible for educating the company and its employees on the important requirements of GDPR, training staff involved in data processing, and conducting regular security audits. DPOs will also serve as the point of contact between the company and any supervisory authorities that oversee activities related to data collection or processing.

Considering that this a brand new role for organizations, executive teams and board members will have to ask themselves a few very important questions.

Will my organization need to hire a DPO?

All public organizations (government agencies or other entities) will be required to appoint a DPO under GDPR, as will any organization processing data requiring systematic monitoring of subjects on a large scale – or processing special categories of sensitive personal data such as health, religion, race, sexual orientation, and personal data relating to criminal convictions and offenses. Generally, a DPO will be required if the company processes and manipulates personal data – e.g. banks, healthcare, credit companies – but not if it only has HR data.

Does the DPO need to be a member of my organization?

Bringing on a DPO may be a sound decision whether your organization is required to have one or not. They don’t need to be members of the organization, but the expertise of any external DPO must align with a business’ data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.

What skills are needed for the role?

Finding someone with the right blend of experience will be challenging. The role will require a rare combination of skills including an understanding IT, operations, data security, data protection laws and practices, and the ability to promote a data protection culture within the organization. Think of the DPO as a free safety in football – someone who can combine expertise from the Chief Compliance Officer along with certain skills of a CISO or CTO. Finding the right fit may take time, so organizations should consider a candidate who comes close to fitting the bill, then helping them close the gaps with the proper certifications and training in advance of the GDPR enforcement date.

How do I find the right DPO?

Organizations should start evaluating potential DPO candidates now to determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team. First look for candidates already working within the organization, as they will have the best understanding of the business. Your DPO will want to conduct a visibility assessment to best understand risk exposure and prioritize compliance efforts. He or she will need to understand the company’s existing data sources and examine what types of personal data – particularly GDPR-regulated data – is being collected, handled and stored.

What else do I need to know?

Whatever technologies are implemented to support this effort, it will be imperative to first understand how they enable personal data to be processed. Then controls must be placed around that data – e.g. implicit consent (opt-in), the right to be forgotten, transparency, pseudonymisation and data portability – as end users have the right to receive documentation of how their personal data is being used and stored. Additionally, use of the data can be audited and shouldn’t be different than what the user opted in for. If usage changes, a company must notify the user and allow them to opt-out.

GDPR was crafted to be intentionally nebulous in how it prescribes solutions or technologies to achieve the necessary data controls and protection. The legislation was designed to be flexible in how it requires organizations and their DPOs to comply with its technology mandates. They kept things a bit open ended to best accommodate new and emerging technologies, like cloud-based systems, IoT and machine learning, which didn’t exist when previous data protection regulations were established. Unfortunately, this leaves many companies lacking guidance as to what technologies can help them get in step with GDPR’s requirements.

While May 25, 2018 might feel far off, getting ready for GDPR now will allow ample time for testing and assessing the new protocols, hiring the right DPO and ensuring they are operating effectively. Aligning your business to GDPR may seem like a daunting task, but hiring the right DPO can help the organization prevent potential financial and regulatory consequences down the line.

Thomas Fischer is a global security advocate at Digital Guardian, where he plays a lead role in advising customers, investigating malicious activity and analyzing threats. With more than 25 years of experience, Thomas has a unique view on security in the enterprise with experience in multiple domains from risk management and secure development to incident response and forensics. During his career, Thomas has held varying roles from incident responder to security architect for fortune 500 companies, as well as industry vendors and consulting organizations.

About the Author(s)

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights