What to Look for in a Data Protection Officer, and Do You Need One?
The hiring of a data protection officer is a key element of compliance with GDPR, but it's also an opportunity to differentiate your company.
The 2018 deadline for compliance with the General Data Protection Regulation (GDPR) is well behind us and we are adjusting to life under the European law. While the new set of rules aims to give EU citizens more control over their personal data, our borderless world economy means GDPR impacts any company that conducts business in Europe or collects data from EU citizens.
Businesses found to be in violation of the GDPR face a fine of €20 million ($22.1 million) or four percent of global revenues, whichever is greater. One requirement is the designation of a data protection officer (DPO). GDPR introduces this new DPO role and makes it mandatory for companies that meet certain criteria to have a DPO in place.
Do you need a Data Protection Officer?
Your first step is to establish if you even need a DPO in order to comply with GDPR rules. You may be asking: Does this even apply to my company? The answer: It depends. It depends on how you are processing data, how much you are processing, and how you are retaining it. Article 37 of GDPR states that there are three scenarios under which a DPO is mandatory, they are:
The processing is carried out by a public authority;
The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
The core activities of the controller or processor consist of processing sensitive data on a large scale (Article 9) or data relating to criminal convictions/offences (Article 10).
But even with these guidelines, as Daniel Newman, Principal Analyst of Futurum Research, points out, the answer is not always clear cut. He does advise however that if your company is regularly gathering and processing large amounts of data without tossing it out once it is used, you should probably have a DPO.
Does your business process large amounts of personal data and retain it? Unfortunately, there is no clear definition of “large scale” in this instance, but much of the analysis to date advises that any company that collects and retains personal data on EU residents should consider their risk exposure and appoint a DPO.
What to consider if you need a DPO
If you’ve established that you need to designate a DPO, you need to ensure that person can work independently to conduct privacy assessments without any conflict so that your practices around data protection and compliance are up-to-date. The DPO must report to the top, without an intermediary in between the DPO and the highest management level.
Who should you place in this role? Article 37 states that the DPO may be a staff member of the controller or processor or fulfill the tasks based on a service contract. Many organizations are handling this by appointing existing people within the company and simply expanding roles. This is often the most efficient way to get a handle on this requirement for smaller businesses.
If adding the data protection oversight to an existing employee’s responsibilities is the chosen approach, this person must be given the appropriate training and GDPR education to manage the compliance framework. There are training programs to achieve DPO certification.
Small-to-medium-sized businesses who cannot hire a DPO in house may consider using a managed service provider for their DPO and outsourcing the responsibilities. This is not a violation of the law. A contract-service DPO may be the best option depending on the size of your organization and the available resources.
But for a large, multinational organization, this approach simply won’t do. A dedicated C-level data protection officer is a must, and they should have “expert knowledge of data protection law and practices.” The law does not specify what kind of background that entails.
Still, it is certain you will need someone with a deep understanding of GDPR, data privacy and processing, and how these new rules will continue to have an impact on future business operations. You will want someone with a long history in cybersecurity, risk and privacy who is experienced in audit and risk assessment practices.
Your DPO should also view the responsibilities of GDPR compliance as an opportunity to drive your business forward. Data privacy is not just an essential for compliance, it’s also a competitive advantage.
Now is the time to get your security and privacy vision articulated to make your company the place to be, and to recruit a privacy professional who is ready to take that vision into the future.
Jody Paterson is a trusted advisor and security thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), and CEO of ERP Maestro.
The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.