Why organizations need to hire a data protection officer
The implementation of the EU’s General Data Protection Regulation on May 25, 2018 will have ramifications for organizations around the world. In fact, it will require more than 9,000 U.S. firms to hire a data protection officer, or DPO, to ensure its strict data protection regulations are met.
What exactly is a DPO?
This is a brand new role that will be responsible for educating a company and its employees on the requirements of GDPR, training staff involved in data processing and conducting regular security audits across the organization. The DPO will also serve as the main point of contact between the company and the supervisory authorities overseeing activities related to data collection or processing.
As the idea of the DPO role – and the role itself – is introduced to organizations, executive teams and board members will have to ask themselves a few very important questions before the GDPR legislation takes effect in May.
Does the organization need a DPO on board?
A DPO will be required within all public organizations (government agencies or other entities). Additionally, any organization processing data requiring systematic monitoring of subjects on a large scale – or processing special categories of sensitive personal data such as health, religion, race, sexual orientation, and personal data relating to criminal convictions and offenses – will need one. If an organization processes and manipulates personal data (e.g. banks, healthcare, credit companies), it will need to hire a DPO. However, you likely will not need one if it only has HR data.
Should the DPO be a member of the organization now?
Whether an organization is required to hire a DPO or not, bringing one in may be a sound decision. Whoever is hired for the role doesn’t need to be a member of the organization, but the expertise of any external DPO must align with a business’ data processing operations and the level of data protection required for the personal data processed by data controllers and data processors.
What skills are needed for the role?
Finding someone with the right blend of experience will be challenging. The role will require a rare combination of skills including an understanding IT, operations, data security, data protection laws and practices. The ideal DPO will be someone with a personality that lends itself well to building a culture of data protection combined with the expertise of a Chief Compliance Officer along with certain skills of a CISO or CTO. Think of the DPO as a free safety in football – it’s a role that will require versatility, to say the least.
Since finding the right fit may take time, organizations should consider a candidate who comes close to fitting the bill and helping them to close whatever gaps exist by offering the proper certifications and training in advance of the GDPR enforcement date.
How does an organization find the right DPO?
Organizations would be smart to begin evaluating potential DPO candidates as soon as possible to determine if they meet the requirements while being a valuable addition to the GDPR stakeholder team. Are there any candidates already working within the organization that can fill this need? Assessing the internal team and talent is a good first place to look, as they will have the best understanding of the business.
The DPO will need to understand the company’s existing data sources and examine what types of personal data – particularly GDPR-regulated data – is being collected, handled and stored. To do that, they will want to conduct a visibility assessment to best understand risk exposure and prioritize compliance efforts.
What else does an organization need to know?
Whatever technologies are implemented to support this effort, it will be critical to first understand how they enable personal data to be processed. Controls must then be placed around that data – e.g. implicit consent (opt-in), the right to be forgotten, transparency, pseudonymisation and data portability – as end users have the right to receive documentation of how their personal data is being used and stored. Additionally, use of the data can be audited and shouldn’t be different than what the user opted in for. If usage changes, a company must notify the user and allow them to opt-out.
GDPR is intentionally vague about how it prescribes solutions or technologies to achieve the necessary data controls and protection. The legislation was designed to be flexible in how it requires organizations and their DPOs to comply with its technology mandates. To best accommodate new and emerging technologies, like cloud-based systems, IoT and machine learning, specifications were kept open-ended. A potential negative effect however, is that this leaves many companies with little guidance as to what technologies can help them get in step with GDPR’s requirements.
Preparing for GDPR now will allow ample time for testing and assessing the new protocols, hiring the right DPO and ensuring they are operating effectively. Aligning an organization to GDPR in advance of the May 25 deadline may seem like a daunting task, but getting the right DPO in place can help ease the pressure companywide to prevent potential financial and regulatory consequences down the line.