GDPR: The role of the DPO – And how to find one in a competitive landscape
GDPR (General Data Protection Regulation) introduces the new role of Data Protection Officer (DPO). While many organizations have had the title of such a role under the existing EU Directive, member states had different interpretations of what this meant. GDPR takes the responsibilities of the DPO to another level.
To be able to effectively discharge the duties of the DPO, as outlined in Articles 38 and 39 of GDPR, the DPO needs to have a high authority in their organization, have a wide range of experience and be multiskilled, both technically and socially.
The requirement to appoint a DPO will mainly fall upon large corporations, government bodies, organizations in the health and social care sectors, financial institutions, and mostly organizations that are based in the EU.
However, small and medium enterprises (SMEs) may also need a DPO role, as they could be a key component in a large corporate or government organization’s supply chain. These cases probably will not be a dedicated role, and could even be brought in as a managed service.
Also for the first time, an organization acting as an information processor under an outsourced, managed service, such as a cloud service provider arrangement, may need to consider the role of DPO.
This all means there is going to be a large requirement to recruit DPOs. There are many job adverts out there requiring X number of years of GDPR experience, but these people simply do not exist. Yes, there are many data privacy professionals out there, but the requirements of the GDPR go beyond this.
So, what makes a good DPO?
The DPO needs a mix of skills and experience extending from data privacy into information risk management, relationship management, persuasive/negotiating skills, and the ability to operate at the highest levels within an organization. DPOs will need to be able to effectively communicate across the whole of the organization with the ability to articulate potential risk, in business terms. The DPO needs to understand the risk to information and how to appropriately and adequately protect this information related to its level of risk, through people, processes and technology; related governance processes; and management controls.
The DPO’s initial primary focus will be to get his or her organization ready to be GDPR-compliant by the May 2018 deadline, when GDPR becomes enforceable. This will require engagement with all areas of the organization to obtain a good understanding of the information, gathered, processed, stored and shared, with particular attention on Personal Identifiable Information (PII).
However, once the DPO has the organization GDPR-ready, the DPO can add real business value by taking a wider view into information governance. With this in mind, larger organizations should seriously consider developing the DPO role in to the role of the Chief Data Officer (CDO).
Many of the skills and standing within an organization required belong to that of a Chief Data Officer (CDO). While the role of the CDO is wider than that of the DPO, there are many similarities.
To sum up, there is massive requirement to recruit DPOs with GDPR experience. As GDPR is only in its implementation phase, these people do not exist in the numbers required. Therefore, organizations need to take a more pragmatic view. Look at existing data protection professionals; can they be developed into the role of the DPO with training and coaching? Look at information risk and information governance professionals; can they be trained in data privacy? For the large corporates, look at the role of Chief Data Officer, and for SMEs, look at buying a managed service.
(This post originally appeared on the ISACA blog, which can be viewed here)